Revert `time` pin and/or drop `jsonwebtoken` dependency ASAP

[tnull]

The time crate just reported a security vulnerability (see rustsec/advisory-db#2626) that was fixed in v0.3.47, one patch release after previously bumping MSRV to rustc v1.88 on v0.3.46.

We're now in a pickle as this probably means we'll have to either revert the pin or drop any dependency depending on time. We currently depend on it through jsonwebtoken and simple_asn1. From a first quick inspection it looks we might not be affected (simple_asn1 only uses PrimitiveDateTime, not the affected Rfc2822, AFAICT), but we should still take action ASAP.

[tnull]

FWIW, had Claude also confirm my initial take-away that we're not directly affected by the security vulnerability:

Vulnerability Summary

The fix in time addresses a stack exhaustion DoS in the RFC2822 date parser. Specifically, the comment() / ccontent() / cfws() functions could be made to recurse infinitely via deeply nested comments in RFC2822-formatted input. The fix adds a DEPTH_LIMIT of 32.

Your Dependency Chain

The time crate (v0.3.45) is a transitive dependency, pulled in via:

vss-server
└── auth-impls
└── jsonwebtoken v9.3.1
└── simple_asn1 v0.6.3
└── time v0.3.45

There is no direct usage of time anywhere in your source code.

Are the Patched Codepaths Reachable?

No, you are not impacted.

simple_asn1 enables the parsing feature of time, but it only uses:

• time::format_description::parse() — to build custom format descriptors for ASN.1 date formats (UTCTime and GeneralizedTime)
• PrimitiveDateTime::parse() / PrimitiveDateTime::format() — with those custom format descriptors

It never invokes the RFC2822 parser. The vulnerable functions (comment(), ccontent(), cfws()) are part of time's RFC2822 parsing module, which is a completely separate code path from format_description-based parsing. Even though the parsing feature is compiled in, the RFC2822 module's
functions are only reached if explicitly called — and nothing in your dependency chain calls them.

In short: the vulnerable code is compiled but dead/unreachable from your crate's perspective. You can safely disregard this advisory for your project.