Bump github.com/lestrrat-go/jwx/v3 from 3.0.3 to 3.0.4

[dependabot]

Bumps github.com/lestrrat-go/jwx/v3 from 3.0.3 to 3.0.4.

Release notes

Sourced from github.com/lestrrat-go/jwx/v3's releases.

v3.0.4

What's Changed

• Improve performance by @​lestrrat in lestrrat-go/jwx#1391
• Bump golang.org/x/crypto from 0.38.0 to 0.39.0 by @​dependabot in lestrrat-go/jwx#1389
• Bump github.com/golang-jwt/jwt/v5 from 5.2.0 to 5.2.2 in /bench/comparison by @​dependabot in lestrrat-go/jwx#1394

Full Changelog: lestrrat-go/jwx@v3.0.3...v3.0.4

Changelog

Sourced from github.com/lestrrat-go/jwx/v3's changelog.

v3.0.4 09 Jun 2025

• This release contains various performance improvements all over the code.

  Because of the direction that this library is taking, we have always been more focused on correctness and usability/flexibility over performance.

  It just so happens that I had a moment of inspiration and decided to see just how good our AI-based coding agents are in this sort of analysis-heavy tasks.

  Long story short, the AI was fairly good at identifying suspicious code with an okay accuracy, but completely failed to make any meaningful changes to the code in a way that both did not break the code and improved performance. I am sure that they will get better in the near future, but for now, I had to do the changes myself. I should clarify to their defence that the AI was very helpful in writing cumbersome benchmark code for me.

  The end result is that we have anywhere from 10 to 30% performance improvements in various parts of the code that we touched, based on number of allocations. We believe that this would be a significant improvement for many users.

  For further improvements, we can see that there would be a clear benefit to writing optimized code path that is designed to serve the most common cases. For example, for the case of signing JWTs with a single key, we could provide a path that skips a lot of extra processing (we kind of did that in this change, but we could go ever harder in this direction). However, it is a trade-off between maintainability and performance, and as I am currently the sole maintainer of this library for the time being, I only plan to pursue such a route where it requires minimal effort on my part.

  If you are interested in helping out in this area, I hereby thank you in advance. However, please be perfectly clear that unlike other types of changes, for performance related changes, the balance between the performance gains and maintainability is top priority. If you have good ideas and code, they will always be welcome, but please be prepared to justify your changes.

  Finally, thank you for using this library!

Commits

• 3f1f2b8 Update Changes
• 8125b67 Bump github.com/golang-jwt/jwt/v5 in /bench/comparison (#1394)
• 4037c1d Bump golang.org/x/crypto from 0.38.0 to 0.39.0 (#1389)
• cff1d84 Improve performance (#1391)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)