CGA-36rj-px8c-hmv2

This vulnerability affects jws @ 3.2.2, a transitive dependency brought in via jsonwebtoken @ 8.5.1 in packages/api. The fix requires upgrading jsonwebtoken from 8.5.1 to 9.0.3+, which upgrades jws from 3.2.2 to 4.0.1 (fixed version). Upstream dbgate maintainers have an open PR (#443) from December 2022 to upgrade jsonwebtoken to 9.0.0, but it remains unmerged. Additionally, many automated dependabot PRs attempting the same upgrade are also unmerged. We are deferring to upstream to merge the jsonwebtoken upgrade rather than applying it independently, as the 2+ year delay suggests potential compatibility concerns or testing requirements we cannot fully evaluate. Reference: https://github.com/dbgate/dbgate/pull/443