Upgrade: [dependabot] - bump jsrsasign from 11.1.1 to 11.1.3 (#4615)

Bumps [jsrsasign](https://github.com/kjur/jsrsasign) from 11.1.1 to
11.1.3.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/kjur/jsrsasign/releases">jsrsasign's
releases</a>.</em></p>
<blockquote>
<h2>Security Fix</h2>
<ul>
<li>Changes from 11.1.2 to 11.1.3 (2026-Apr-18)
<ul>
<li>base64x.js
<ul>
<li>timingSafeEqual and timingSafeEqualImpl added</li>
</ul>
</li>
<li>jws.js
<ul>
<li>modified to use timingSafeEqual for HS* signature verification</li>
</ul>
</li>
<li>Security fixes:
<ul>
<li>JWS hmac signature validation timing attack fix <a
href="https://redirect.github.com/kjur/jsrsasign/issues/654">#654</a> by
<a href="https://github.com/Kr0emer"><code>@​Kr0emer</code></a></li>
</ul>
</li>
<li>bugfix
<ul>
<li>jws.js
<ul>
<li>wrong thumbprint calculation for symmetric key
(KJUR.jws.JWS.getJWKthumbprint)
reported in issue <a
href="https://redirect.github.com/kjur/jsrsasign/issues/656">#656</a> by
<a href="https://github.com/e3stpavel"><code>@​e3stpavel</code></a></li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
</ul>
<h2>Security Fix</h2>
<ul>
<li>Changes from 11.1.1 to 11.1.2 (2026-Apr-12)
<ul>
<li>Security fixes:
<ul>
<li>HIGH: wrong random for for Node.JS &gt;= 19 and modern browsers
(ext/rng.js SecureRandom)
reported by Bronson Yen of Calif.io and <a
href="https://github.com/Kr0emer"><code>@​Kr0emer</code></a> <a
href="https://redirect.github.com/kjur/jsrsasign/issues/655">#655</a>.</li>
<li>HIGH: ASN.1 Parser Infinite Loop (asn1hex.js)
getChildIdx fix to avoid infinite loop reported by Koda Reef.</li>
<li>HIGH: DSA Universal Signature Forgery (dsa.js)
FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash
reported by Koda Reef, Nicholas Carlini and <a
href="https://github.com/Kr0emer"><code>@​Kr0emer</code></a>.</li>
<li>ASN1HEX.getChildIdx DoS (asn1hex.js)
getChildIdx may raise DoS because of lacking value length check
reported by Yt(yutengsun) and Franciny S Roj.</li>
<li>missing JWS crit header parameter validation (jws.js)
as reported by Franciny S Roj.
Thank you indeed for those vulnerability reports and/or patches.</li>
</ul>
</li>
</ul>
</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/kjur/jsrsasign/blob/master/ChangeLog.txt">jsrsasign's
changelog</a>.</em></p>
<blockquote>
<p>ChangeLog for jsrsasign</p>
<ul>
<li>
<p>Changes from 11.1.2 to 11.1.3 (2026-Apr-18)</p>
<ul>
<li>base64x.js
<ul>
<li>timingSafeEqual and timingSafeEqualImpl added</li>
</ul>
</li>
<li>jws.js
<ul>
<li>modified to use timingSafeEqual for HS* signature verification</li>
</ul>
</li>
<li>Security fixes:
<ul>
<li>JWS hmac signature validation timing attack fix <a
href="https://redirect.github.com/kjur/jsrsasign/issues/654">#654</a> by
<a href="https://github.com/Kr0emer"><code>@​Kr0emer</code></a></li>
</ul>
</li>
<li>bugfix
<ul>
<li>jws.js
<ul>
<li>wrong thumbprint calculation for symmetric key
(KJUR.jws.JWS.getJWKthumbprint)
reported in issue <a
href="https://redirect.github.com/kjur/jsrsasign/issues/656">#656</a> by
<a
href="https://github.com/e3stpavel"><code>@​e3stpavel</code></a>.</li>
</ul>
</li>
</ul>
</li>
</ul>
</li>
<li>
<p>Changes from 11.1.1 to 11.1.2 (2026-Apr-12)</p>
<ul>
<li>Security fixes:
<ul>
<li>HIGH: wrong random for for Node.JS &gt;= 19 and modern browsers
(ext/rng.js SecureRandom)
reported by Bronson Yen of Calif.io and <a
href="https://github.com/Kr0emer"><code>@​Kr0emer</code></a> <a
href="https://redirect.github.com/kjur/jsrsasign/issues/655">#655</a>.</li>
<li>HIGH: ASN.1 Parser Infinite Loop (asn1hex.js)
getChildIdx fix to avoid infinite loop reported by Koda Reef.</li>
<li>HIGH: DSA Universal Signature Forgery (dsa.js)
FIPS 186-4 section 4.7 wrong boundary checking in verifyWithMessageHash
reported by Koda Reef, Nicholas Carlini and <a
href="https://github.com/Kr0emer"><code>@​Kr0emer</code></a>.</li>
<li>ASN1HEX.getChildIdx DoS (asn1hex.js)
getChildIdx may raise DoS because of lacking value length check
reported by Yt(yutengsun) and Franciny S Roj.</li>
<li>missing JWS crit header parameter validation (jws.js)
as reported by Franciny S Roj.
Thank you indeed for those vulnerability reports and/or patches.</li>
</ul>
</li>
</ul>
</li>
<li>
<p>Changes from 11.1.0 to 11.1.1 (2026-Feb-20)</p>
<ul>
<li>security fix for DSA and BigInteger
<ul>
<li>PR <a
href="https://redirect.github.com/kjur/jsrsasign/issues/651">#651</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/650">#650</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/649">#649</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/648">#648</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/647">#647</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/646">#646</a>,
<a
href="https://redirect.github.com/kjur/jsrsasign/issues/645">#645</a>.
Thank you <a
href="https://github.com/Kr0remer"><code>@​Kr0remer</code></a></li>
<li>After assigned CVE number reports will be added.</li>
</ul>
</li>
<li>SECURITY.md added. Thank you <a
href="https://github.com/njg7194"><code>@​njg7194</code></a></li>
</ul>
</li>
</ul>
<p>restore KJUR.crypto.Cipher class without RSA/RSAOAEP support</p>
<ul>
<li>Changes from 11.0.0 to 11.1.0 (2024-Feb-01)
<ul>
<li>src/crypto.js
<ul>
<li>restore KJUR.crypto.Cipher class without RSA and RSAOAEP
encryption/decryption support</li>
</ul>
</li>
</ul>
</li>
</ul>
<p>remove RSA and RSAOAEP encryption for Marvin attack</p>
<ul>
<li>Changes from 10.9.0 to 11.0.0 (2024-Jan-16)
<ul>
<li>Major Changes:
<ul>
<li>Stop to support Internet Explorer.</li>
<li>Stop to support bower.</li>
<li>Modern ECMA functions will be introduced such as Promise, let, Array
methods or class.</li>
<li>API document generator will be changed from Jsdoc Toolkit to
JSDoc3.</li>
<li>Module bandler will be used such as browserify or webpack.</li>
</ul>
</li>
</ul>
</li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/kjur/jsrsasign/commit/5d677193b72a3d67b387b6fe2d070a22ff4e7876"><code>5d67719</code></a>
11.1.3 release</li>
<li><a
href="https://github.com/kjur/jsrsasign/commit/53c0afd70076634ccc0b6a0a31858c09d7cbbbb7"><code>53c0afd</code></a>
README update</li>
<li><a
href="https://github.com/kjur/jsrsasign/commit/7933fcb5dd40efac2d972b65c471c5a9bcdb6fac"><code>7933fcb</code></a>
README update</li>
<li><a
href="https://github.com/kjur/jsrsasign/commit/dfbc4baaa9ada13b4121cef1a729689f387efb7b"><code>dfbc4ba</code></a>
README update</li>
<li><a
href="https://github.com/kjur/jsrsasign/commit/d568de35c61178e9925edbed856145231e8242a3"><code>d568de3</code></a>
11.1.2 release</li>
<li><a
href="https://github.com/kjur/jsrsasign/commit/08f659d7d5a12057dc067ebac9cd79134b60d665"><code>08f659d</code></a>
delete sponsorship</li>
<li><a
href="https://github.com/kjur/jsrsasign/commit/66ff9babe14a3e74a090d727a8cda2ffab04c2d2"><code>66ff9ba</code></a>
text update</li>
<li><a
href="https://github.com/kjur/jsrsasign/commit/d3370bf6e45d941b3790bf0deb2c0ae6f0cc9b8d"><code>d3370bf</code></a>
text update</li>
<li>See full diff in <a
href="https://github.com/kjur/jsrsasign/compare/11.1.1...11.1.3">compare
view</a></li>
</ul>
</details>
<br />

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: dependabot[bot]

package-lock.json

@@ -33,7 +33,7 @@
     "fhirpath": "^4.9.2",
     "hapi-pino": "^13.0.0",
     "joi": "^18.1.2",
-    "jsrsasign": "^11.1.1",
+    "jsrsasign": "^11.1.3",
     "lossless-json": "^4.3.0",
     "module-alias": "^2.3.4",
     "moment": "^2.30.1",