Sourced fromjws's releases.

v3.2.3

Changed

• Fix advisoryGHSA-869p-cjfg-cm3x: createSign and createVerify now requirethat a non empty secret is provided (via opts.secret, opts.privateKey or opts.key)when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, addressing a compatibility issue for Node >= 25.

Sourced fromjws's changelog.

[3.2.3]

Changed

• Fix advisoryGHSA-869p-cjfg-cm3x: createSign and createVerify now requirethat a non empty secret is provided (via opts.secret, opts.privateKey or opts.key)when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING:jwt.verify now requires analgorithm parameter, andjws.createVerify requires analgorithm option. The"alg" fieldsignature headers is ignored. This mitigates a critical security flawin the library which would allow an attacker to generate signatures witharbitrary contents that would be accepted byjwt.verify. Seehttps://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed frombinary toutf8.utf8 is a is a more sensible default thanbinary becausemany payloads, as far as I can tell, will contain user-facingstrings that could be in any language. (6b6de48)

• Code reorganization, thanks@​fearphage! (7880050)

Added

• Option in all relevant methods forencoding. For those few usersthat might be depending on abinary encoding of the messages, thisis for them. (6b6de48)

• 4f6e73f Merge commit from fork
• bd0fea5 version 3.2.3
• 7c3b4b4 Enhance tests for HMAC streaming sign and verify
• a9b8ed9 Improve secretOrKey initialization in VerifyStream
• 6707fde Improve secret handling in SignStream
• See full diff incompare view

This version was pushed to npm byjulien.wollscheid, a new releaser for jws since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from theSecurity Alerts page.