Update slackhq/nebula dependency to fix CVE-2026-25793

[fballiano]

The current version of slackhq/nebula used by smallstep/certificates (v1.9.7) is affected by CVE-2026-25793 (HIGH severity — blocklist evasion via ECDSA Signature Malleability), which is fixed in Nebula v1.10.3.

This is surfacing in downstream projects (Caddy, FrankenPHP) as a Trivy finding, and the FrankenPHP maintainer has confirmed the fix needs to happen here since the latest Nebula version contains a breaking change that prevents them from updating independently (see php/frankenphp#2177).

Would it be possible to update the Nebula dependency to >= 1.10.3?

[SinTan1729]

Second this. Simply upgrading deps is resulting in failed builds right now.

[hslatman]

Already done: #2563.

Note that many scanners will simply look for versions with known CVEs. They may not analyze actual code paths, resulting in false positives.