Sourced fromjws's releases.

v4.0.1

Changed

• Fix advisoryGHSA-869p-cjfg-cm3x: createSign and createVerify now requirethat a non empty secret is provided (via opts.secret, opts.privateKey or opts.key)when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Sourced fromjws's changelog.

[4.0.1]

Changed

• Fix advisoryGHSA-869p-cjfg-cm3x: createSign and createVerify now requirethat a non empty secret is provided (via opts.secret, opts.privateKey or opts.key)when using HMAC algorithms.
• Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

• Fix advisoryGHSA-869p-cjfg-cm3x: createSign and createVerify now requirethat a non empty secret is provided (via opts.secret, opts.privateKey or opts.key)when using HMAC algorithms.
• Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

• BREAKING:jwt.verify now requires analgorithm parameter, andjws.createVerify requires analgorithm option. The"alg" fieldsignature headers is ignored. This mitigates a critical security flawin the library which would allow an attacker to generate signatures witharbitrary contents that would be accepted byjwt.verify. Seehttps://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/for details.

2.0.0 - 2015-01-30

Changed

• BREAKING: Default payload encoding changed frombinary toutf8.utf8 is a is a more sensible default thanbinary becausemany payloads, as far as I can tell, will contain user-facingstrings that could be in any language. ([6b6de48])

• Code reorganization, thanks [@​fearphage]! (7880050)

Added

• Option in all relevant methods forencoding. For those few usersthat might be depending on abinary encoding of the messages, thisis for them. ([6b6de48])

... (truncated)

• 34c45b2 Merge commit from fork
• 49bc39b version 4.0.1
• d42350c Enhance tests for HMAC streaming sign and verify
• 5cb007c Improve secretOrKey initialization in VerifyStream
• f9a2e1c Improve secret handling in SignStream
• b9fb8d3 Merge pull request#102 from auth0/SRE-57-Upload-opslevel-yaml
• 95b75ee Upload OpsLevel YAML
• 8857ee7 test: remove unused variable (#96)
• See full diff incompare view

This version was pushed to npm byjulien.wollscheid, a new releaser for jws since your current version.

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from theSecurity Alerts page.