Update firebase jwt requirement to ^7.0

[ryanmitchell]

WHY are these changes introduced?

Fixes #454

The package cannot be installed without composer warnings due to the vulnerability on PHP-JWT.

WHAT is this pull request doing?

Updates the minimum version of PHP-JWT to an unaffected version.

Type of change

• Patch: Bug (non-breaking change which fixes an issue)
• Minor: New feature (non-breaking change which adds functionality)
• Major: Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• I have added a changelog entry, prefixed by the type of change noted above
• I have added/updated tests for this change
• I have updated the documentation for public APIs from the library (if applicable)

[ryanmitchell]

I have signed the CLA!

[davidbounliane]

Hello,

We are currently facing the same issue. Is it possible to fix this issue ?

Thank you !

[oeloukilioutmane]

Hello,

We are currently facing the same issue

Thank you !

[nfourtythree]

Also seeing this issue.

Any idea on a timeframe for getting this updated?

Thanks

[robindelaater]

We are also running in to this issue, hope this gets updated soon!

[kylemilloy]

Also seeing this, please expedite.

I'd add that because of "fun" corporate things like Aikido and other security scanners we're blocked by this right now.

[patrick-levesque]

I ran into the same issue.

Since the tokens are generated by Shopify and this package only verifies them (it does not generate tokens with weak settings), this does not appear to be critical in this context. You can temporarily ignore the specific advisory in your composer.json until Shopify updates this package.

Here's the quick fix I used:

composer config --merge audit.ignore PKSA-y2cr-5h3j-g3ys

[julionc]

cc @lizkenyon