Mitigate fast-jwt whitespace-prefixed key algorithm confusion

[cvsz]

Motivation

• The existing fix for CVE-2023-48223 can be bypassed when a PEM public key has leading whitespace because the public key regex uses a ^ anchor and the public key path does not normalize input.
• A whitespace-prefixed RSA public key may be misclassified as an HMAC secret, re-enabling algorithm-confusion attacks that were previously patched.

Description

• Add a workspace patchedDependencies entry in pnpm-workspace.yaml so installs apply a local patch to fast-jwt@6.1.0.
• Patch performDetectPublicKeyAlgorithms in fast-jwt to call key.trimStart() (stored as normalizedKey) and use normalizedKey for PEM/X509/private-key detection and matching instead of the raw key.
• Add the patch file at patches/fast-jwt@6.1.0.patch and update pnpm-lock.yaml to register the patch hash/path so installs are deterministic and include the mitigation.

Testing

• Ran the repository test suite with pnpm test and all tests passed.
• The patched package was applied and committed using the pnpm patch workflow and the lockfile was updated to reference the patched artifact.

---

Codex Task

[gemini-code-assist]

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

[chatgpt-codex-connector]

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.