CRW-9755: Fix CVE-2025-65945 by updating jws to patched versions

[sbouchet]

What does this PR do?

CVE-2025-65945 is an improper signature verification vulnerability in the jws package that allows HMAC signature bypass in JWT validation.

Changes:

• Updated jws from 4.0.0 to 4.0.1 in code/build
• Added override for jsonwebtoken dependency to force jws 3.2.3+ in code/build
• Added override for jws 3.2.3+ in microsoft-authentication extension

All vulnerable jws versions (3.2.2 and 4.0.0) have been replaced with patched versions (3.2.3+ and 4.0.1+).

🤖 Generated with Claude Code

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-9755

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

[openshift-ci-robot]

@sbouchet: This pull request references CRW-9755 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What does this PR do?

CVE-2025-65945 is an improper signature verification vulnerability in the jws package that allows HMAC signature bypass in JWT validation.

Changes:

• Updated jws from 4.0.0 to 4.0.1 in code/build
• Added override for jsonwebtoken dependency to force jws 3.2.3+ in code/build
• Added override for jws 3.2.3+ in microsoft-authentication extension

All vulnerable jws versions (3.2.2 and 4.0.0) have been replaced with patched versions (3.2.3+ and 4.0.1+).

🤖 Generated with Claude Code

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-9755

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[github-actions]

Click here to review and test in web IDE:

[openshift-ci-robot]

@sbouchet: This pull request references CRW-9755 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the vulnerability to target the "4.22.0" version, but no target version was set.

Details

In response to this:

What does this PR do?

CVE-2025-65945 is an improper signature verification vulnerability in the jws package that allows HMAC signature bypass in JWT validation.

Changes:

• Updated jws from 4.0.0 to 4.0.1 in code/build
• Added override for jsonwebtoken dependency to force jws 3.2.3+ in code/build
• Added override for jws 3.2.3+ in microsoft-authentication extension

All vulnerable jws versions (3.2.2 and 4.0.0) have been replaced with patched versions (3.2.3+ and 4.0.1+).

🤖 Generated with Claude Code

What issues does this PR fix?

https://issues.redhat.com/browse/CRW-9755

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

• the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
• the corresponding items were added to the CHANGELOG.md file
• rules for automatic git rebase were added to the .rebase folder

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.