Releases: lestrrat-go/jwx
Releases · lestrrat-go/jwx
v4.0.2
For more detailed release notes, see Changes.
What's Changed
- ci: print coverage summary in GitHub Actions run summary by @lestrrat in #2078
- ci: also run on push to target branches by @lestrrat in #2079
- jws: refuse "b64" header in VerifyCompactFast by @lestrrat in #2080
- jws: VerifyCompactFast refusals match jws.VerifyError() class by @lestrrat in #2082
- jws: name loose keySet options in fan-out verify error by @lestrrat in #2084
- jws: honor RFC 7797 b64=false in Message.MarshalJSON by @lestrrat in #2086
- jws: reject literal-JSON "protected" in general-form JWS by @lestrrat in #2088
- jwt: ParseRequest: don't skip form body on chunked transfer by @lestrrat in #2090
- jwt: Settings rejects out-of-range NumericDate precision by @lestrrat in #2092
- jwt: pedantic mode enforces cty=JWT nested-envelope shape by @lestrrat in #2093
- jwt: reshape base64-corruption hint as diagnosis-first by @lestrrat in #2095
- jwt: defensively reject missing claims in MaxDeltaIs / MinDeltaIs by @lestrrat in #2098
- jwt: ParseInsecure: parse loop-local payload, not original input by @lestrrat in #2096
- jwt: align Validate fast/slow paths to same iat,exp,nbf check order by @lestrrat in #2100
- jws: Verify rejects b64=false without "b64" listed in "crit" by @lestrrat in #2101
- jws: Sign auto-declares "b64" in "crit" when emitting b64=false by @lestrrat in #2103
- jws: declare "b64" as typed bool header field by @lestrrat in #2105
- jws: reject general-form JWS with top-level "header" sibling of "signatures" by @lestrrat in #2107
- jws: typed sentinel for AlgorithmsForKey unclassifiable-key failures by @lestrrat in #2109
- jws: VerifyMessage observes ctx cancellation between loop iterations by @lestrrat in #2111
- jws: cleanup follow-ups from recent review (low-severity batch) by @lestrrat in #2113
- jwe/jwebb: document Register{HPKE,MLKEM,MLKEMDirect}Algorithm as privileged extension points by @lestrrat in #2115
- jwe: DecryptMessage observes ctx cancellation between loop iterations by @lestrrat in #2116
- jwe: parse and bound-check PBES2 p2c in int64 space; name the violated bound by @lestrrat in #2118
- jwe: WithKey validates alg-vs-key shape at option-time by @lestrrat in #2120
- jwe: compression cap error names "decompressed" payload, the option, and the size by @lestrrat in #2122
- jwe: bound joined-error count and drop redundant outer Decrypt prefix by @lestrrat in #2124
- jwe: keySetProvider surfaces per-key errors via errors.Join by @lestrrat in #2126
- jwe: add WithDisabledKeyAlgorithms global policy hook by @lestrrat in #2128
- jwe: document WithMaxDecompressBufferSize behavior at non-positive values by @lestrrat in #2130
- jwk: stop duplicating JWK fields at JWKS top level on parse by @lestrrat in #2132
- jwk: wrap ParseKey/ParseKeyAs errors with ParseError sentinel by @lestrrat in #2134
- jwk: stream the keys array with cap-before-allocate by @lestrrat in #2136
- jwk: probe tolerates duplicate JSON field names by @lestrrat in #2138
- jwk: treat nil key from custom KeyParser as continue, not success by @lestrrat in #2139
- jwk: fix phantom ContinueParseError refs and unmarshaler typo in docs by @lestrrat in #2141
- jwk: add UnknownKeyTypeError typed error by @lestrrat in #2143
- jwk: document AKP-specific Thumbprint canonicalization on public methods by @lestrrat in #2144
- docs/jwk: use jwk.WithX509(true) in PEM section prose by @lestrrat in #2145
- docs/jwk: document EncodePEM emit-to-PEM path by @lestrrat in #2146
- MIGRATION: document PublicSetOf default-reject for symmetric keys by @lestrrat in #2147
- jwk: clarify that any value <= 0 disables the RSA strength floor by @lestrrat in #2148
- jwk: move extension-authoring walkthrough from doc.go to docs/04-jwk.md by @lestrrat in #2149
- jwk: correct Import godoc for crypto/ecdh dispatch by @lestrrat in #2150
- jwk: surface Export type mismatch as KeyTypeMismatchError by @lestrrat in #2151
- jwk: RegisterKeyImporter takes KeyImporter, not a typed function by @lestrrat in #2152
- Changes: draft v4.0.2 release notes by @lestrrat in #2154
Full Changelog: v4.0.1...v4.0.2
Contributors
lestrrat
Assets 2
v3.1.1
For more detailed release notes, see Changes.
What's Changed
- build(deps): bump pozil/auto-assign-issue from 2.2.0 to 2.2.1 by @dependabot[bot] in #2045
- guard ecdsa coordinates against oversized big.Int by @lestrrat in #2050
- reject jwe with conflicting alg in protected vs per-recipient by @lestrrat in #2052
- fix AddressClaim.MarshalJSON for non-printable bytes by @lestrrat in #2056
- jwt: only call ParseForm when WithFormKey is supplied by @lestrrat in #2058
- jws: jkuProvider rejects fetched keys marked use=enc by @lestrrat in #2060
- jwa: unify SignatureAlgorithm/KeyEncryption/ContentEncryption into one registry by @lestrrat in #2066
- build(deps): bump pozil/auto-assign-issue from f245a9119ba5cc2fed4aa7b8268d576d40acddf0 to 7bf9d82c77d45976224660b873fc83e60576c5aa by @dependabot[bot] in #2065
- cmd/jwx: warn on private-key-to-tty + reject keysize<=0 for oct by @lestrrat in #2071
- jws: refuse "b64" header in VerifyCompactFast by @lestrrat in #2081
- jws: VerifyCompactFast refusals match jws.VerifyError() class by @lestrrat in #2083
- jws: name loose keySet options in fan-out verify error by @lestrrat in #2085
- jws: honor RFC 7797 b64=false in Message.MarshalJSON by @lestrrat in #2087
- jws: reject literal-JSON "protected" in general-form JWS by @lestrrat in #2089
- jwt: ParseRequest: don't skip form body on chunked transfer by @lestrrat in #2091
- jwt: pedantic mode enforces cty=JWT nested-envelope shape by @lestrrat in #2094
- jwt: defensively reject missing claims in MaxDeltaIs / MinDeltaIs by @lestrrat in #2099
- jwt: ParseInsecure: parse loop-local payload, not original input by @lestrrat in #2097
- jws: Verify rejects b64=false without "b64" listed in "crit" by @lestrrat in #2102
- jws: Sign auto-declares "b64" in "crit" when emitting b64=false by @lestrrat in #2104
- jws: declare "b64" as typed bool header field by @lestrrat in #2106
- jws: reject general-form JWS with top-level "header" sibling of "signatures" by @lestrrat in #2108
- jws: typed sentinel for AlgorithmsForKey unclassifiable-key failures by @lestrrat in #2110
- jws: VerifyMessage observes ctx cancellation between loop iterations by @lestrrat in #2112
- jws: cleanup follow-ups from recent review (low-severity batch) by @lestrrat in #2114
- jwe: DecryptMessage observes ctx cancellation between loop iterations by @lestrrat in #2117
- jwe: parse and bound-check PBES2 p2c in int64 space; name the violated bound by @lestrrat in #2119
- jwe: WithKey validates alg-vs-key shape at option-time by @lestrrat in #2121
- jwe: compression cap error names "decompressed" payload, the option, and the size by @lestrrat in #2123
- jwe: bound joined-error count and drop redundant outer Decrypt prefix by @lestrrat in #2125
- jwe: keySetProvider surfaces per-key errors via errors.Join by @lestrrat in #2127
- jwe: add WithDisabledKeyAlgorithms global policy hook by @lestrrat in #2129
- jwe: document WithMaxDecompressBufferSize behavior at non-positive values by @lestrrat in #2131
- jwk: stop duplicating JWK fields at JWKS top level on parse by @lestrrat in #2133
- jwk: wrap ParseKey errors with ParseError sentinel by @lestrrat in #2135
- jwk: stream the keys array with cap-before-allocate by @lestrrat in #2137
- jwk: treat nil key from custom KeyParser as continue, not success by @lestrrat in #2140
- jwk: fix phantom ContinueParseError refs and unmarshaler typo in docs by @lestrrat in #2142
- Changes: draft v3.1.1 release notes by @lestrrat in #2155
Full Changelog: v3.1.0...v3.1.1
Contributors
lestrrat and dependabot
Assets 2
v4.0.1
What's Changed
- docs: add jwxfilter to extension modules doc by @lestrrat in #2041
- autodoc updates by @github-actions[bot] in #2042
- docs: fix broken v3-to-v4.yaml link in Changes-v4.md by @lestrrat in #2048
- guard ecdsa coordinates against oversized big.Int by @lestrrat in #2049
- reject jwe with conflicting alg in protected vs per-recipient by @lestrrat in #2051
- autodoc updates by @github-actions[bot] in #2053
- docs: document PrivateClaims concurrency contract by @lestrrat in #2055
- fix AddressClaim.MarshalJSON for non-printable bytes by @lestrrat in #2054
- jwt: only call ParseForm when WithFormKey is supplied by @lestrrat in #2057
- jws: jkuProvider rejects fetched keys marked use=enc by @lestrrat in #2059
- jwk: refuse RegisterKeyImporter for built-in raw key types by @lestrrat in #2061
- jwa: unify SignatureAlgorithm/KeyEncryption/ContentEncryption into one registry by @lestrrat in #2062
- docs: jwkbb X509 registry is a privileged extension point by @lestrrat in #2067
- docs(internals): record Settings unknown-option handling as design intent by @lestrrat in #2068
- cmd/jwx: warn on private-key-to-tty + reject keysize<=0 for oct by @lestrrat in #2070
- autodoc updates by @github-actions[bot] in #2069
- fix jwxmigrate install path in MIGRATION.md by @lestrrat in #2076
Full Changelog: v4.0.0...v4.0.1
Contributors
lestrrat
Assets 2
v4.0.0
Changes
v4 has many incompatibilities with v3. To see the full list of differences between
v3 and v4, please read the Changes-v4.md file. Coding Agents should read MIGRATION.md
v4.0.0 - 19 Apr 2026
- Initial v4 release. Major features:
- Lighter: Core / Companion module separation. Less dependencies in core.
- Faster: Use of generics and other optimizations make v4 2x~3x faster than before.
- Quantum-Ready: ML-KEM and ML-DSA, HPKE (+Hybrid) are supported through companion modules.
- See Changes-v4.md for a full set of Changes since v3.
v3.1.0
See Changes file for curated list of changes
What's Changed
- Appease linter by @lestrrat in #1543
- Bump kentaro-m/auto-assign-action from 2.0.0 to 2.0.1 by @dependabot[bot] in #1538
- Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #1542
- Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #1536
- Bump actions/cache from 5.0.1 to 5.0.2 by @dependabot[bot] in #1539
- Add AGENTS.md by @lestrrat in #1546
- exclude AGENTS.md by @lestrrat in #1548
- Bump actions/cache from 5.0.2 to 5.0.3 by @dependabot[bot] in #1545
- Bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @dependabot[bot] in #1535
- Add symlink by @lestrrat in #1549
- Fix jwk.Cache worker issues by @lestrrat in #1552
- Exclude CLAUDE.md from autodoc by @lestrrat in #1555
- Bump github.com/valyala/fastjson from 1.6.7 to 1.6.9 by @dependabot[bot] in #1561
- Bump actions/stale from 10.1.1 to 10.2.0 by @dependabot[bot] in #1559
- Bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in #1557
- Reduce allocations in concatkdf Read by @lestrrat in #1562
- Eliminate redundant lock acquisitions in LookupKeyID by @lestrrat in #1563
- Replace make+copy with bytes.Clone by @lestrrat in #1564
- Use base64.Encode instead of EncodeToString in JWS marshal by @lestrrat in #1565
- Cache keyalg/ctalg String() in JWE encrypt/decrypt by @lestrrat in #1566
- Inline ndata() in concatkdf New by @lestrrat in #1567
- Fix dependabot workflow by @lestrrat in #1574
- Bump github.com/valyala/fastjson from 1.6.9 to 1.6.10 by @dependabot[bot] in #1568
- Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.4.0 to 4.4.1 by @dependabot[bot] in #1570
- Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /examples by @dependabot[bot] in #1571
- Bump actions/setup-go from 6.2.0 to 6.3.0 by @dependabot[bot] in #1573
- harden dependabot workflow by @lestrrat in #1575
- fix inverted rlocker condition in RSA key export by @lestrrat in #1576
- Fix jwe decrypt typo by @lestrrat in #1577
- Fix example naming by @lestrrat in #1578
- Chore remove unused blank assigns by @lestrrat in #1579
- add WhitelistError sentinel, use errors.Is in test by @lestrrat in #1581
- standardize error helpers in jws and jwe by @lestrrat in #1582
- add fuzz testing infrastructure for jwt/jws/jwe/jwk by @lestrrat in #1583
- fix flaky cache and jwt validation tests by @lestrrat in #1585
- add .claude/docs and pre-read rules to AGENTS.md by @lestrrat in #1584
- Bump golang.org/x/crypto from 0.48.0 to 0.49.0 by @dependabot[bot] in #1587
- Bump github.com/emmansun/gmsm from 0.21.5 to 0.41.1 in /examples by @dependabot[bot] in #1590
- Bump actions/cache from 5.0.3 to 5.0.4 by @dependabot[bot] in #1593
- Bump github.com/goccy/go-json from 0.10.3 to 0.10.6 by @dependabot[bot] in #1589
- Bump kentaro-m/auto-assign-action from 2.0.1 to 2.0.2 by @dependabot[bot] in #1595
- use standard go deprecation markers in jws by @lestrrat in #1596
- fix probe field name in panic message by @lestrrat in #1597
- Bump github.com/lestrrat-go/httprc/v3 from 3.0.4 to 3.0.5 by @dependabot[bot] in #1599
- Bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #1600
- enforce crit header validation in jws.Verify per RFC 7515 by @lestrrat in #1601
- validate crit header in VerifyCompactFast by @lestrrat in #1602
- fix X25519 ECDH-ES to include apu/apv in KDF by @lestrrat in #1603
- enforce minimum PBES2 iteration count by @lestrrat in #1604
- reject null JSON values for string claims (#1484) by @lestrrat in #1605
- add RFC 9864 fully-specified EdDSA signature algorithms by @lestrrat in #1606
- add extension APIs and KeyKind dispatch for external algorithm modules by @lestrrat in #1607
- add jwkunsafe package docs and tests by @lestrrat in #1609
- delegate custom algorithm registration to dsig by @lestrrat in #1610
- autodoc updates by @github-actions[bot] in #1611
- pin ed448 module to latest jwx by @lestrrat in #1612
- move ed448 to external jwx-circl-ed448 repo by @lestrrat in #1613
- autodoc updates by @github-actions[bot] in #1614
- pin jwx-circl-ed448 to latest commit by @lestrrat in #1615
- update Changes for v3.0.14 by @lestrrat in #1616
- use jwk.Import fallback in AlgorithmsForKey by @lestrrat in #1617
- fix OKP key export dispatch for Ed448 by @lestrrat in #1618
- fix misleading Ed448 dispatch comments in jwsbb by @lestrrat in #1619
- add RegisterAlgorithmForCurve, filter AlgorithmsForKey by curve by @lestrrat in #1620
- pin jwx-circl-ed448 to ce28e4bb in examples by @lestrrat in #1621
- add WithMaxFetchBodySize to limit Fetch response body by @lestrrat in #1622
- add per-call PBES2 count overrides to jwe.Decrypt by @lestrrat in #1623
- fix X509CertChain() to return false when chain is nil by @lestrrat in #1624
- fix data race in x509 decoder registry iteration by @lestrrat in #1625
- add max key count limit to PEM parsing loop by @lestrrat in #1626
- reject negative WithAcceptableSkew in jwt.Validate by @lestrrat in #1627
- accept year 0000 in OIDC birthdate per spec by @lestrrat in #1628
- update Changes for #1620-#1628 by @lestrrat in #1629
- add max input size limit to jwt/jwe ParseReader by @lestrrat in #1630
- add global default for MaxFetchBodySize by @lestrrat in #1631
- fix parse size limit race, validation, and jws coverage by @lestrrat in #1632
- add max recipients limit for JWE messages by @lestrrat in #1633
- add default HTTP timeout for jwk.Fetch by @lestrrat in #1634
- document jti replay protection as caller responsibility by @lestrrat in #1635
- add max signatures limit for JWS messages by @lestrrat in #1636
- add default redirect policy for jwk.Fetch by @lestrrat in #1637
- add jwk.DefaultHTTPClient by @lestrrat in #1638
- check redirect scheme downgrade at every hop by @lestrrat in #1639
- apply default redirect policy to jwk.Cache by @lestrrat in #1640
- make null string claim rejection opt-in by @lestrrat in #1641
- add jwk.WrapHTTPClientDefaults by @lestrrat in #1642
- update Changes for #1630-#1640 by @lestrrat in #1643
- document WithHTTPClient bypass of defaults by @lestrrat in #1646
- use atomic wrappers for global settings by @lestrrat in #1647
- reuse shared HTTP client in Cache.Register by @lestrrat in #1648
- accept ParseOption in jws.ParseString by @lestrrat in #1650
- validate maxSignatures is positive by @lestrrat in #1649
- do...
Contributors
lestrrat and dependabot
Assets 2
v3.0.13
What's Changed
- Pass value of WithContext to jws.Verify by @lestrrat in #1483
- Bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 by @dependabot[bot] in #1490
- Bump actions/checkout from 5.0.0 to 5.0.1 by @dependabot[bot] in #1494
- Bump actions/setup-go from 6.0.0 to 6.1.0 by @dependabot[bot] in #1500
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] in #1499
- Bump golang.org/x/crypto from 0.39.0 to 0.45.0 in /cmd/jwx by @dependabot[bot] in #1495
- Bump actions/checkout from 5.0.1 to 6.0.0 by @dependabot[bot] in #1504
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools/cmd/genoptions by @dependabot[bot] in #1502
- Bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 by @dependabot[bot] in #1506
- Fix document for (jwk.Set).LookupKeyID by @lestrrat in #1508
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools/cmd/genjwt by @dependabot[bot] in #1509
- Bump actions/stale from 10.1.0 to 10.1.1 by @dependabot[bot] in #1514
- Bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 by @dependabot[bot] in #1515
- Bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in #1516
- Update httprc by @lestrrat in #1518
- Bump actions/cache from 4.3.0 to 5.0.1 by @dependabot[bot] in #1525
- Appease linter (v2.7.2) by @lestrrat in #1526
- Bump golang.org/x/crypto from 0.45.0 to 0.46.0 by @dependabot[bot] in #1520
- Add permissions by @lestrrat in #1528
- Bump github.com/valyala/fastjson from 1.6.4 to 1.6.7 by @dependabot[bot] in #1524
- Fix Clone() by @lestrrat in #1530
Full Changelog: v3.0.12...v3.0.13
Contributors
lestrrat and dependabot
Assets 2
v3.0.12
What's Changed
- Change go.mod version requirements to go 1.24.0 and introduce toolchain directive by @henrymcconville in #1465
- Use go.mod for go version in Bazel module by @henrymcconville in #1466
- Enable legacy signers by default, and explicitly populate new signer instances by @lestrrat in #1460
- autodoc updates by @github-actions[bot] in #1475
- Fix
godoclintissues by @babakks in #1469 - Bump actions/cache from 4.2.4 to 4.3.0 by @dependabot[bot] in #1463
- Bump actions/stale from 10.0.0 to 10.1.0 by @dependabot[bot] in #1468
- Bump github.com/segmentio/asm from 1.2.0 to 1.2.1 by @dependabot[bot] in #1462
- Bump github/codeql-action from 3 to 4 by @dependabot[bot] in #1472
- Bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @dependabot[bot] in #1474
- revive godoclint by @lestrrat in #1478
- [jwe] Add option to explicitly clear per-recipient headers (
"header") for flattened JSON serialization by @lestrrat in #1477 - autodoc updates by @github-actions[bot] in #1480
New Contributors
- @henrymcconville made their first contribution in #1465
- @babakks made their first contribution in #1469
Full Changelog: v3.0.11...v3.0.12
Contributors
lestrrat, henrymcconville, and 2 other contributors
Assets 2
v3.0.11
What's Changed
- Bump actions/cache from 4.2.3 to 4.2.4 by @dependabot[bot] in #1438
- Bump golang.org/x/crypto from 0.40.0 to 0.41.0 by @dependabot[bot] in #1436
- [jwe] Work with non X25519 ECDH encryption by @lestrrat in #1442
- Bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #1440
- Separate out signature generation / verification into its own framework by @lestrrat in #1439
- Bump github.com/lestrrat-go/httprc/v3 from 3.0.0 to 3.0.1 by @dependabot[bot] in #1443
- Bump actions/stale from 9.1.0 to 10.0.0 by @dependabot[bot] in #1451
- Bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @dependabot[bot] in #1447
- Bump golang.org/x/crypto from 0.41.0 to 0.42.0 by @dependabot[bot] in #1456
- Bump actions/setup-go from 5.5.0 to 6.0.0 by @dependabot[bot] in #1449
- Warh40k fix/connection leak by @lestrrat in #1458
- Allow shutting down jwk cache by @adam-bates in #1457
New Contributors
- @adam-bates made their first contribution in #1457
Full Changelog: v3.0.10...v3.0.11
Contributors
lestrrat, adam-bates, and dependabot
Assets 2
v3.0.10
Contributors
lestrrat
Assets 2
v3.0.9
What's Changed
- [jwk] Implement X509 related code in jwkbb by @lestrrat in #1423
- Tweak error message by @lestrrat in #1424
- [jwt] implement distinguishable jwt.Get errors by @lestrrat in #1426
- Update bazel to v8 by @lestrrat in #1429
- Bump golang.org/x/crypto from 0.39.0 to 0.40.0 by @dependabot[bot] in #1428
- Allow HeaderGetXXX() functions to differentiate not found / invalid headers by @lestrrat in #1432
Full Changelog: v3.0.8...v3.0.9
Contributors
lestrrat and dependabot