refactor: migrate from jsonwebtoken to jose v5

[yoshi-taka]

Why this change • jsonwebtoken is no longer actively maintained and has accumulated a large dependency tree. • jose is a modern, actively maintained, and dependency-light alternative with better security posture.

What changed • Updated token generation/verification logic in Danger.js to use jose. • Adjusted the code paths to match jose’s async API and stricter type expectations.

The project’s current version (v5) is the last one that supports CommonJS; v6+ is ESM-only, which is incompatible with Danger.js’ CJS execution environment.

Verification • All existing unit tests are passing. • Additional validation will be required in downstream workflows, as token handling can differ subtly between libraries (expiration, algorithm defaults, error classes, etc.). • No functional changes expected, but we should keep an eye on the next CI runs using Danger.

Benefits • Reduced dependency footprint. • Better long-term security and maintenance prospects. • Aligns with current recommendations for jose/JWT handling.