CVE-2025-65015 for joserfc version 1.4.1

[demian-licht-hs]

Seems like a trivial fix. Moto requires joserfc>=0.9.0, the CVE affects joserfc<1.4.2, wondering if there's any reason why we can't bump the requirement?

[bblommers]

Hi @demian-licht-hs, welcome to Moto! As a library, we don't want to have too strict requirements around our dependencies. There will always be users who absolutely need to use a lower version of joserfc, whatever the reason: because newer versions aren't vetted yet, because of API changes, specific behaviour in older versions that they depend on, other libraries that pin this dependency to different versions...

Having the widest range of possible versions gives the users full flexibility in which version they want. We only pin the minimum version that is required for the functionality that's necessary for Moto to work - but if users want to be more specific that, that's always up to them.