Update jwt requirement from ~> 2 to >= 2, < 4

[dependabot]

Updates the requirements on jwt to permit the latest version.

Changelog

Sourced from jwt's changelog.

v3.1.1 (2025-06-24)

Full Changelog

Fixes and enhancements:

• Require the algorithm to be provided when signing and verifying tokens using JWKs #695 (@​anakinj)

v3.1.0 (2025-06-23)

Full Changelog

Features:

• Add support for x5t header parameter for X.509 certificate thumbprint verification #669 (@​hieuk09)
• Raise an error if the ECDSA signing or verification key is not an instance of OpenSSL::PKey::EC #688 (@​anakinj)
• Allow OpenSSL::PKey::EC::Point to be used as the verification key in ECDSA #689 (@​anakinj)
• Require claims to have been verified before accessing the JWT::EncodedToken#payload #690 (@​anakinj)
• Support signing and verifying tokens using a JWK #692 (@​anakinj)

v3.0.0 (2025-06-14)

Full Changelog

Breaking changes:

• Require token signature to be verified before accessing payload #648 (@​anakinj)
• Drop support for the HS512256 algorithm #650 (@​anakinj)
• Remove deprecated claim verification methods #654 (@​anakinj)
• Remove dependency to rbnacl #655 (@​anakinj)
• Support only stricter base64 decoding (RFC 4648) #658 (@​anakinj)
• Custom algorithms are required to include JWT::JWA::SigningAlgorithm #660 (@​anakinj)
• Require RSA keys to be at least 2048 bits #661 (@​anakinj)
• Base64 encode and decode the k value for HMAC JWKs #662 (@​anakinj)

Take a look at the upgrade guide for more details.

Features:

• JWT::EncodedToken#verify! method that bundles signature and claim validation #647 (@​anakinj)
• Do not override the alg header if already given #659 (@​anakinj)
• Make JWK::KeyFinder compatible with JWT::EncodedToken #663 (@​anakinj)

Fixes and enhancements:

• Ruby 3.4 to CI matrix #649 (@​anakinj)
• Add logger as development dependency #670 (@​hieuk09)

v2.10.1 (2024-12-26)

... (truncated)

Commits

• 50c01e0 Prepare 3.1.1
• b45219d Do not automatically trust the JWA in the JWK (#695)
• 5c4fb4c Prepare next iteration (#694)
• 646febe Fix date for 3.1.0
• a93b803 Prepare release of 3.1.0 (#693)
• 66547db Support signing and verifying token using a JWK (#692)
• 2b33d5d Fix changelog entry
• 65d2883 Integration tests for EncodedToken (#691)
• b035d0b Require claims to have been verified before accessing the payload (#690)
• 4775b11 Allow point to be used as the verification key in ECDSA (#689)
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.