PyJWT 2.4.0 contains an important security fix, see CVE-2022-29217 in https://pyjwt.readthedocs.io/en/stable/changelog.html#v2-4-0

Picard is even without this patch not affected by this issue, as it explicitly sets the algorithm. But still good practice to ship a version that fixes this potential issue. Also potentially there could also be a plugin making use of this.