Backport of [NET-8601] security: upgrade vault/api to remove go-jose.v2 into release/1.16.x

[dhiaayachi]

Backport

This PR is auto-generated from hashicorp#20910 to be assessed for backporting due to the inclusion of the label backport/1.16.

🚨

Warning automatic cherry-pick of commits failed. If the first commit failed,
you will see a blank no-op commit below. If at least one commit succeeded, you
will see the cherry-picked commits up to, not including, the commit where
the merge conflict occurred.

The person who merged in the original PR is:
@zalimeni
This person should manually cherry-pick the original PR into a new backport PR,
and close this one when the manual backport PR is merged in.

merge conflict error: POST https://api.github.com/repos/hashicorp/consul/merges: 409 Merge conflict []

The below text is copied from the body of the original PR.

---

This dependency has an open vulnerability (GO-2024-2631 AKA CVE-2024-28180), and is no longer needed by the latest vault/api. This is a follow-up to the upgrade of go-jose/v3 in this repository to make all our dependencies consolidate on v3.

Also remove the recently added security scan triage block for GO-2024-2631, which was added due to incorrect reports that go-jose/v3@3.0.3 was impacted; in reality, is was this indirect client dependency (not impacted by CVE) that the scanner was flagging. A bug report has been filed to address the incorrect reporting.

This PR will fail some backports due to go.mod/go.sum conflicts, but opening w/ labels to ensure we don't forget. I'll fix up the backports that fail.

Description

• Upgrade vault/api to latest
• Remove triage block for go-jose from scanner config

Testing & Reproduction steps

CI including Security Scan continue to pass.

Links

Follow-up to hashicorp#20901

PR Checklist

• updated test coverage
• external facing docs updated
• appropriate backport labels added
• not a security concern

---

Overview of commits

• 1c8e398