Bump joserfc from 0.9.0 to 1.6.3 in /requirements

[dependabot]

Bumps joserfc from 0.9.0 to 1.6.3.

Release notes

Sourced from joserfc's releases.

1.6.3

   🐞 Bug Fixes

• jwe: Set max value for p2c  -  by @​lepture (696a9)

    View changes on GitHub

1.6.2

   🐞 Bug Fixes

• Class does not need to inherit object  -  by @​lepture (4a9be)
• jwe: Move size limit to DeflateZipModel  -  by @​lepture (04211)
• jwe: Auto add kid when add_recipient  -  by @​lepture (10ac9)
• jwe: Auto add kid to recipient when kid exists  -  by @​lepture (9db7e)

    View changes on GitHub

1.6.1

   🐞 Bug Fixes

• Remove duplicate code  -  by @​lepture (2c2ca)
• Improve base key method definition  -  by @​lepture (d78b4)
• Update for type hints  -  by @​lepture (e0d4f)
• jwt: Remove InvalidTokenError, ExpiredTokenError based on ClaimError  -  by @​lepture (b71ca)

    View changes on GitHub

1.6.0

   🚀 Features

• Filter_algorithms names parameter default to all algs  -  by @​azmeuk (1034a)
• Pick_random_key algorithm parameter is optional  -  by @​azmeuk (ee046)
• Filter_algorithms supports KeySet objects  -  by @​azmeuk (775d5)
• jwk: Add a derive_key method for OKPKey  -  by @​lepture (04f59)
• jwk: Add derive_key method for ECKey  -  by @​lepture (73412)

   🐞 Bug Fixes

• Remove backend parameter, it is deprecated  -  by @​lepture (e10e1)
• jwa: Improve RFC9864 check key logic  -  by @​lepture (b8434)
• jwk: Improve OKPKey implementation  -  by @​lepture (7b8e3)
• jwk: Allow import key from cryptography native key types  -  by @​lepture (6db65)
• jwk: Raise InvalidKeyCurveError when generate ECKey with invalid crv  -  by @​lepture (c7921)
• jwk: Improve generate_private_key on binding class  -  by @​lepture (24257)
• jwk: Remove useless properties on OKPKey  -  by @​lepture (bf35f)
• jws: Use JWSRegistry.guess_algorithm to replace JWSRegistry.guess_alg  -  by @​lepture (6b34c)
• jwt: Make BaseClaimsRegistry.essential_keys a property.  -  by @​lepture (bc13e)

    View changes on GitHub

... (truncated)

Changelog

Sourced from joserfc's changelog.

1.6.3

Released on February 25, 2026

• JWE: Set a max value for p2c header.

1.6.2

Released on February 16, 2026

• JWE: Auto add kid to recipient.
• JWE: Use DeflateZipModel.MAX_SIZE to determine size limit.

1.6.1

Released on December 30, 2025

• Deprecate InvalidTokenError, please use InvalidClaimError instead.
• Convert ExpiredTokenError to inherit from ClaimError.
• Improve on type hints.

1.6.0

Released on December 14, 2025

• filter_algorithms names defaults to all algorithms. :pull:79.
• Replace JWSRegistry.guess_alg with JWSRegistry.guess_algorithm.
• filter_algorithms and guess_alg supports KeySet objects. :pull:81.
• Improve generate_private_key method on Key's binding class.
• Raise InvalidKeyCurveError when generating ECKey with an invalid curve.
• Allow import key from cryptography native key types.
• Add ECKey.derive_key and OKPKey.derive_key class methods.

1.5.0

Released on November 30, 2025

• Add Ed25519 and Ed448 algorithms per :ref:rfc9864, via :issue:76.
• Marked EdDSA algorithm as deprecated per :ref:rfc9864, via :issue:76.
• Add parameter default_type for :meth:jwt.encode method.

1.4.3

Released on November 19, 2025

... (truncated)

Commits

• f06540f chore: release 1.6.3
• 696a961 fix(jwe): set max value for p2c
• 52c6ffd chore: release 1.6.2
• 3b36720 chore: update deps
• 91c7ecd chore: update readme
• 9db7e44 fix(jwe): auto add kid to recipient when kid exists
• 1330b49 docs: add a cheatsheet recipe
• 10ac93f fix(jwe): auto add kid when add_recipient
• 224e72a chore: remove codecov token
• 042118c fix(jwe): move size limit to DeflateZipModel
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

This PR is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.