I really feel like that by now this should be well known and none of the currently in-use libraries should accept alg=none tokens without additional flags being set (yes_i_really_want_no_security=true or something)
However the real issue is, of course, the spec which allowed this in the first place even though it makes zeros sense aside of making unit tests a tiny bit easier to write. But the cost is not worth the gains. At. All.
See also: https://lobste.rs/s/idysrp/how_write_secure_jwt_library_if_you