jose - npm Package Versions

3.0.0 (2020-11-14)

⚠ BREAKING CHANGES

• Revised, Promise-based API
• No dependencies
• Browser support (using Web Cryptography API)
• Support for verification using a remote JWKS endpoint

Features

• Revised API, No dependencies, Browser Support, Promises (357fe0b)

2.0.3 (2020-10-29)

Fixes

• allow stubbing of the JWT.decode function (6c3b92f)

2.0.2 (2020-09-14)

Fixes

• esm: include esm files in the published package (1956746)

2.0.1 (2020-09-10)

Fixes

• allow plugins such as jose-chacha to work in newer node runtime (30f1dc2)

2.0.0 (2020-09-08)

⚠ BREAKING CHANGES

• the JWE.decrypt option algorithms was removed and replaced with contentEncryptionAlgorithms (handles enc allowlist) and keyManagementAlgorithms (handles alg allowlist)
• the JWT.verify profile option was removed, use e.g. JWT.IdToken.verify instead.
• removed the maxAuthAge JWT.verify option, this option is now only present at the specific JWT profile APIs where the auth_time property applies.
• removed the nonce JWT.verify option, this option is now only present at the specific JWT profile APIs where the nonce property applies.
• the acr, amr, nonce and azp claim value types will only be checked when verifying a specific JWT profile using its dedicated API.
• using the draft implementing APIs will emit a one-time warning per process using process.emitWarning
• JWT.sign function options no longer accept a nonce property. To create a JWT with a nonce just pass the value to the payload.
• due to added ESM module support Node.js version with ESM implementation bugs are no longer supported, this only affects early v13.x versions. The resulting Node.js semver range is >=10.13.0 < 13 || >=13.7.0
• deprecated method JWK.importKey was removed
• deprecated method JWKS.KeyStore.fromJWKS was removed
• the use of unregistered curve name P-256K for secp256k1 was removed
• jose.JWE.Encrypt constructor aad and unprotectedHeader arguments swapped places
• jose.JWE.encrypt.flattened header (unprotectedHeader) and aad arguments swapped places
• jose.JWE.encrypt.general header (unprotectedHeader) and aad arguments swapped places
• JWS.verify returned payloads are now always buffers
• JWS.verify options encoding and parse were removed

Features

• added support for ESM (ECMAScript modules) (1aa9035)
• decrypt allowlists for both key management and content encryption (30e5c46)

Fixes

• typescript: allow Buffer when verifying detached signature (cadbd04)
• typescript: properly type all decode/verify/decrypt fn options (4c23bd6)

Refactor

• encrypt APIs unprotectedHeader and aad arguments swapped (70bd4ae)
• move JWT profile specifics outside of generic JWT (fd69d7f)
• removed nonce option from JWT.sign (c4267cc)
• removed deprecated methods and utilities (6c35c51)
• removed payload parsing from JWS.verify (ba5c897)

1.28.0 (2020-08-10)

Features

• support for validating issuer from a list of values (#91) (ce6836a)

1.27.3 (2020-08-04)

Fixes

• do not mutate unencoded payload when signing for multiple parties (1695423), closes #89
• ensure "b64" is the same for all recipients edge cases (d56ec9f)

1.27.2 (2020-07-01)

Fixes

• handle private EC keys without public component (#86) (e8ad389), closes #85

1.27.1 (2020-06-01)

Fixes

• allow any JSON numeric value for timestamp values (7ba4922)

1.27.0 (2020-05-05)

Features

• add opt-in objects to verify using embedded JWS Header public keys (7c1cab1)