Minimum cryptography version is vulnerable to CVE

[jtait]

I see in #535 there is a bump to cryptography up to version 41.0.6. This bump only applies to requirements.txt and not setup.py, so the version of flask-jwt-extended installed from PyPI doesn't enforce the minimum version. This allows an installation to use a vulnerable version of Cryptography with this library.

I didn't open a pull request because I'm not sure if you want to force users to upgrade. The current setup doesn't prevent users from upgrading but in my own case I updated flask-jwt-extended using Poetry in my project and a new version of cryptography wasn't installed automatically.

Is this something you want addressed? If not it might be worth adding a note to the docs warning against the vulnerable dependency.

[vimalloc]

This was the original reason why it is setup the way it is: #467 (comment)

I'm honestly not sure what best practices would dictate here. I'll think on this, and welcome any input that you or others may have!