fix(deps): update rust crate jsonwebtoken to v10

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
jsonwebtoken	dependencies	major	9 → 10

---

Release Notes

Keats/jsonwebtoken (jsonwebtoken)

v10.4.0

Compare Source

• Fix incorrect encoding for Ed25519 JWK thumbprints
• Make Algorithm.family public and add Validation.new_for_family
• EncodingKey and DecodingKey are now partially zeroized on drop (the intermediate PemEncodedKey isn't so far)

v10.3.0

Compare Source

• Export everything needed to define your own CryptoProvider
• Fix type confusion with exp/nbf when not required

v10.2.0

Compare Source

• Remove Clone bound from decode functions

v10.1.0

Compare Source

• add dangerous::insecure_decode
• Implement TryFrom &Jwk for DecodingKey

v10.0.0

Compare Source

• BREAKING: now using traits for crypto backends, you have to choose between aws_lc_rs and rust_crypto
• Add Clone bound to decode
• Support decoding byte slices
• Support JWS

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • "before 9am on monday"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying koyori with    Cloudflare Pages

Latest commit:	9c4ad44
Status:	✅  Deploy successful!
Preview URL:	https://ed977b4b.koyori.pages.dev
Branch Preview URL:	https://renovate-jsonwebtoken-10-x.koyori.pages.dev

View logs

[coderabbitai]

Walkthrough

バックエンド の Cargo.toml で jsonwebtoken 依存関係をバージョン 9 からバージョン 10 へアップグレードしました。use_pem 機能フラグは保持されています。その他の依存関係は変更されていません。

Changes

依存関係の更新

Layer / File(s)	Summary
jsonwebtoken バージョンアップ apps/backend/Cargo.toml	jsonwebtoken 依存関係がバージョン 9 から 10 へ更新されました。use_pem 機能フラグは同一のまま維持されています。

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 分

Poem

🐰 トークンの鍵をアップグレード、
バージョン十へと進化した。
PEM の機能は変わらずに、
セキュリティ向上の道へ。
小さな変更、大きな安心。 ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	プルリクエストのタイトルは、主な変更内容（jsonwebtoken を v9 から v10 へ更新）を明確かつ簡潔に要約しており、著者が指定した主要な変更と完全に一致しています。
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/jsonwebtoken-10.x

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/backend/Cargo.toml`:
- Line 68: The Cargo.toml currently lists jsonwebtoken = { version = "10",
features = ["use_pem"] } but v10 requires an explicit crypto backend; update the
jsonwebtoken dependency to enable either aws_lc_rs or rust_crypto (e.g., add
"aws_lc_rs" or "rust_crypto" to features and typically set default-features =
false) so RSA signing calls such as EncodingKey::from_rsa_pem and usage of
Algorithm::RS256 have a functioning crypto provider; pick one backend and add it
to the features list in the dependency entry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: f6e812f7-c306-42b0-aa29-3be2c9139344

📥 Commits

Reviewing files that changed from the base of the PR and between c029cfc and fbe73b7.

⛔ Files ignored due to path filters (1)

• apps/backend/Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• apps/backend/Cargo.toml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

jsonwebtoken rust crate version 10 required feature flags crypto backend aws_lc_rs rust_crypto

💡 Result:

In version 10 of the jsonwebtoken Rust crate, you must select exactly one cryptographic backend by enabling either the aws_lc_rs feature or the rust_crypto feature [1][2][3][4]. If you do not explicitly enable one of these features, you are required to provide your own CryptoProvider [1][4][5]. The features function as follows: - aws_lc_rs: Enables the aws-lc-rs cryptographic backend [3][6][7]. - rust_crypto: Enables a collection of pure-Rust cryptographic crates, specifically: ed25519-dalek, hmac, p256, p384, rand, rsa, and sha2 [3][6][7]. By default, the crate also enables the use_pem feature (which includes the pem and simple_asn1 dependencies) [3][6][7]. If you do not require PEM decoding, you can disable default features in your Cargo.toml [1][3][4]: jsonwebtoken = { version = "10", default-features = false, features = ["aws_lc_rs"] }

Citations:

• 1: https://docs.rs/crate/jsonwebtoken/^10.2.0
• 2: https://docs.rs/crate/jsonwebtoken/10.0.0
• 3: https://crates.io/crates/jsonwebtoken/10.2.0
• 4: https://github.com/keats/rust-jwt
• 5: https://docs.rs/crate/jsonwebtoken/latest
• 6: https://crates.io/crates/jsonwebtoken/10.0.0
• 7: https://docs.rs/crate/jsonwebtoken/latest/source/Cargo.toml

---

🏁 Script executed:

#!/bin/bash
# Description: Check which crypto backend is being used by jsonwebtoken v10

# Check Cargo.lock for jsonwebtoken and its dependencies
if [ -f "Cargo.lock" ]; then
  echo "=== jsonwebtoken entry in Cargo.lock ==="
  rg -A 10 '^name = "jsonwebtoken"' Cargo.lock
  echo ""
  echo "=== Checking for aws-lc-rs or ring (aws_lc_rs backend) ==="
  rg '^name = "(aws-lc-rs|ring)"' Cargo.lock
  echo ""
  echo "=== Checking for RustCrypto crates (rust_crypto backend) ==="
  rg '^name = "(rsa|ecdsa|ed25519-dalek)"' Cargo.lock
else
  echo "Cargo.lock not found"
fi

# Check the jsonwebtoken crate documentation
echo ""
echo "=== Attempting to fetch feature information from crates.io ==="
curl -s https://crates.io/api/v1/crates/jsonwebtoken | jq -r '.versions[] | select(.num | startswith("10.")) | {version: .num, features: .features} | `@json`' | head -5

Repository: koyori-app/task

Length of output: 220

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== apps/backend/Cargo.toml jsonwebtoken dependency ==="
rg -n 'jsonwebtoken\s*=' apps/backend/Cargo.toml || true
sed -n '1,120p' apps/backend/Cargo.toml | nl -ba | sed -n '50,90p' || true

echo ""
echo "=== Search for CryptoProvider usage in backend ==="
rg -n 'CryptoProvider' apps/backend || true
rg -n 'jsonwebtoken' apps/backend --glob '*.{rs,toml,md}' -S || true

echo ""
echo "=== Any mention of aws_lc_rs / rust_crypto features ==="
rg -n 'aws_lc_rs|rust_crypto' apps/backend/Cargo.toml apps/backend -S || true

Repository: koyori-app/task

Length of output: 528

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== apps/backend/Cargo.toml around line 68 ==="
sed -n '55,80p' apps/backend/Cargo.toml | cat -n

echo ""
echo "=== Search for CryptoProvider / Provider trait usage ==="
rg -n 'CryptoProvider|CryptoProvider<|CryptoProvider\s*:' apps/backend/src || true
rg -n 'aws_lc_rs|rust_crypto' apps/backend/Cargo.toml || true

echo ""
echo "=== Inspect github_api.rs usage of jsonwebtoken ==="
sed -n '1,160p' apps/backend/src/utils/github_api.rs | cat -n

echo ""
echo "=== Locate Cargo.lock files ==="
fd -t f 'Cargo.lock' . || true

Repository: koyori-app/task

Length of output: 7825

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

LOCK="apps/backend/Cargo.lock"
[ -f "$LOCK" ] || { echo "Missing $LOCK"; exit 1; }

echo "=== jsonwebtoken package entries (all versions) ==="
rg -n '^name = "jsonwebtoken"$' "$LOCK" || true

echo ""
echo "=== Dump jsonwebtoken stanzas with dependencies ==="
# Print from the line containing `name = "jsonwebtoken"` up to the next blank line after the stanza.
# Cargo.lock entries are separated by blank lines.
python3 - <<'PY'
import re, pathlib
lock = pathlib.Path("apps/backend/Cargo.lock").read_text(encoding="utf-8")
blocks = lock.split("\n\n")
for b in blocks:
    if 'name = "jsonwebtoken"' in b:
        # show the whole block but cap length
        print("---- block ----")
        print("\n".join(b.splitlines()[:80]))
PY

echo ""
echo "=== Presence of aws-lc-rs / ring in lock ==="
rg -n '^name = "(aws-lc-rs|ring)"$' "$LOCK" || true

echo ""
echo "=== Presence of rsa/ecdsa/ed25519-dalek in lock ==="
rg -n '^name = "(rsa|ecdsa|ed25519-dalek)"$' "$LOCK" || true

Repository: koyori-app/task

Length of output: 726

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json, urllib.request, sys

ver = "10.4.0"
url = f"https://crates.io/api/v1/crates/jsonwebtoken/{ver}"
data = json.loads(urllib.request.urlopen(url).read().decode("utf-8"))

# Print relevant feature/default info (shape may vary slightly)
v = data.get("version") or {}
default_features = v.get("default_features")
features = v.get("features") or {}

print("=== jsonwebtoken version ===")
print("num:", v.get("num"))
print("default_features:", default_features)

print("\n=== features keys ===")
print(sorted(features.keys())[:50], "..." if len(features)>50 else "")
print("\n=== aws_lc_rs / rust_crypto / use_pem ===")
for k in ["aws_lc_rs","rust_crypto","use_pem"]:
    if k in features:
        print(k, "enabled-by:", features[k].get("dependencies") if isinstance(features[k], dict) else features[k])
    else:
        # sometimes crates.io returns features as mapping of feature->list
        print(k, "NOT FOUND")

print("\n=== effective default features (if available) ===")
# In some responses, `features` is a mapping and default is via `default_features` boolean only.
# If default_features is false, then no implicit features should apply.
PY

Repository: koyori-app/task

Length of output: 2641

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

LOCK="apps/backend/Cargo.lock"
python3 - <<'PY'
import re, pathlib
text = pathlib.Path("apps/backend/Cargo.lock").read_text(encoding="utf-8")
blocks = text.split("\n\n")
targets = ["aws-lc-rs", "ring", "rsa", "ecdsa", "ed25519-dalek"]
for t in targets:
    dependers = []
    for b in blocks:
        if f'name = "{t}"' in b:
            # skip the package definition itself; we care about other packages
            continue
        if f'"{t}"' in b or f'name = "{t}"' in b:
            # We need the "dependencies = [" section; a rough check is OK:
            m = re.search(r'\[\[package\]\]\nname = "([^"]+)"', b)
            if not m:
                continue
            dependers.append(m.group(1))
    # De-dup while preserving order
    seen=set()
    dependers2=[]
    for d in dependers:
        if d not in seen:
            seen.add(d); dependers2.append(d)
    print(f"=== Packages that appear to depend on {t} (heuristic) ===")
    print("\n".join(dependers2[:50]) + ("\n..." if len(dependers2)>50 else ""))
    print()
PY

Repository: koyori-app/task

Length of output: 460

---

🌐 Web query:

jsonwebtoken 10.4.0 features aws_lc_rs rust_crypto default-features use_pem CryptoProvider requirement

💡 Result:

In jsonwebtoken version 10.4.0, cryptography backends are decoupled, requiring users to explicitly select a provider to perform cryptographic operations [1][2][3]. Features and Backends You must select either the aws_lc_rs or rust_crypto feature to serve as your cryptographic backend [1][4]. At most one of these features may be enabled at a time [5][2]. 1. aws_lc_rs: Enables the aws-lc-rs crate as the backend [6][7]. 2. rust_crypto: Enables a collection of crates from the Rust Crypto project (including ed25519-dalek, hmac, p256, p384, rand, rsa, and sha2) [6][8][7]. If you choose not to enable either of these features, you are required to provide your own custom CryptoProvider implementation [1][7]. The use_pem Feature The use_pem feature is enabled by default [6][9]. It provides functionality for decoding PEM-formatted keys and relies on the pem and simple_asn1 crates [6][8]. If you do not require PEM decoding, you can disable this by setting default-features = false in your Cargo.toml [1][5]. Example Configuration To use a backend (e.g., aws_lc_rs) while optionally managing PEM support: // Example Cargo.toml configuration [dependencies] jsonwebtoken = { version = "10.4.0", default-features = false, features = ["aws_lc_rs", "use_pem"] } For details on implementing a custom CryptoProvider, refer to the documentation in the jsonwebtoken::crypto module [7][3].

Citations:

• 1: https://github.com/keats/jsonwebtoken
• 2: https://docs.rs/crate/jsonwebtoken/latest
• 3: https://docs.rs/jsonwebtoken/latest/jsonwebtoken/crypto/index.html
• 4: https://github.com/Keats/jsonwebtoken/blob/master/README.md
• 5: https://lib.rs/crates/jsonwebtoken
• 6: https://docs.rs/crate/jsonwebtoken/latest/source/Cargo.toml
• 7: https://docs.rs/jsonwebtoken/latest/jsonwebtoken/crypto/struct.CryptoProvider.html
• 8: https://docs.rs/crate/jsonwebtoken/latest/source/Cargo.toml.orig
• 9: https://lib.rs/crates/jsonwebtoken/features

---

[重要] jsonwebtoken v10 の暗号化バックエンド（aws_lc_rs / rust_crypto）を明示選択してください

• 現状 apps/backend/Cargo.toml は jsonwebtoken = { version = "10", features = ["use_pem"] } のみで、aws_lc_rs / rust_crypto が未指定です。
• v10 は暗号化バックエンドを aws_lc_rs か rust_crypto のいずれかで選択する（または自前の CryptoProvider を用意する）前提のため、このままだと署名（EncodingKey::from_rsa_pem + Algorithm::RS256）の構成が成立しない可能性があります。
• 対応: features に aws_lc_rs か rust_crypto を追加してください（例: jsonwebtoken = { version = "10", default-features = false, features = ["use_pem", "aws_lc_rs"] } / ["use_pem", "rust_crypto"]）。

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/backend/Cargo.toml` at line 68, The Cargo.toml currently lists
jsonwebtoken = { version = "10", features = ["use_pem"] } but v10 requires an
explicit crypto backend; update the jsonwebtoken dependency to enable either
aws_lc_rs or rust_crypto (e.g., add "aws_lc_rs" or "rust_crypto" to features and
typically set default-features = false) so RSA signing calls such as
EncodingKey::from_rsa_pem and usage of Algorithm::RS256 have a functioning
crypto provider; pick one backend and add it to the features list in the
dependency entry.