fix: drop dependency on jwk-to-pem by using native crypto

This replaces jwk-to-pem with simply using crypto.createPublicKey. This
further drops elliptic from the dependency tree, which has known
security issues (note this is mostly for hygiene as jwk-to-pem doesn't
use the vulnerable code paths, per
Brightspace/node-jwk-to-pem#187).

Author: dgl