fix: upgrade go-jose to v4.1.4 to patch CVE-2026-34986

[ZouhairCharef]

Updates github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to fix a high-severity denial of service vulnerability (CVE-2026-34986).

Community Contribution License

All community contributions in this pull request are licensed to the project maintainers
under the terms of the Apache 2 license.
By creating this pull request I represent that I have the right to license the
contributions to the project maintainers under the Apache 2 license.

Description

This PR upgrades the indirect dependency github.com/go-jose/go-jose/v4 from v4.1.3 to v4.1.4 to patch CVE-2026-34986, a high-severity denial of service vulnerability.
The vulnerability causes a panic during JWE (JSON Web Encryption) decryption when: - The alg field specifies certain key wrapping algorithms (ending in KW, except A128GCMKW, A192GCMKW, A256GCMKW)

• The encrypted_key field is empty This triggers an invalid slice allocation in cipher.KeyUnwrap(), causing the application to panic.

Motivation and Context

CVE-2026-34986 (CVSS 7.5 - High) is a security vulnerability that could be exploited to cause denial of service in applications using go-jose for JWE decryption. Upgrading to v4.1.4 patches this vulnerability.

How to test this PR?

Run the test suite to ensure no regressions:

cd minio                                                                                                                                                                                                        
go mod tidy

Types of changes

• Bug fix (non-breaking change which fixes an issue)

[davinkevin]

+1 for this one, we have the same need and validate the update 😇