jose - npm Package Versions

2.0.1 (2020-09-10)

Fixes

• allow plugins such as jose-chacha to work in newer node runtime (30f1dc2)

2.0.0 (2020-09-08)

⚠ BREAKING CHANGES

• the JWE.decrypt option algorithms was removed and replaced with contentEncryptionAlgorithms (handles enc allowlist) and keyManagementAlgorithms (handles alg allowlist)
• the JWT.verify profile option was removed, use e.g. JWT.IdToken.verify instead.
• removed the maxAuthAge JWT.verify option, this option is now only present at the specific JWT profile APIs where the auth_time property applies.
• removed the nonce JWT.verify option, this option is now only present at the specific JWT profile APIs where the nonce property applies.
• the acr, amr, nonce and azp claim value types will only be checked when verifying a specific JWT profile using its dedicated API.
• using the draft implementing APIs will emit a one-time warning per process using process.emitWarning
• JWT.sign function options no longer accept a nonce property. To create a JWT with a nonce just pass the value to the payload.
• due to added ESM module support Node.js version with ESM implementation bugs are no longer supported, this only affects early v13.x versions. The resulting Node.js semver range is >=10.13.0 < 13 || >=13.7.0
• deprecated method JWK.importKey was removed
• deprecated method JWKS.KeyStore.fromJWKS was removed
• the use of unregistered curve name P-256K for secp256k1 was removed
• jose.JWE.Encrypt constructor aad and unprotectedHeader arguments swapped places
• jose.JWE.encrypt.flattened header (unprotectedHeader) and aad arguments swapped places
• jose.JWE.encrypt.general header (unprotectedHeader) and aad arguments swapped places
• JWS.verify returned payloads are now always buffers
• JWS.verify options encoding and parse were removed

Features

• added support for ESM (ECMAScript modules) (1aa9035)
• decrypt allowlists for both key management and content encryption (30e5c46)

Fixes

• typescript: allow Buffer when verifying detached signature (cadbd04)
• typescript: properly type all decode/verify/decrypt fn options (4c23bd6)

Refactor

• encrypt APIs unprotectedHeader and aad arguments swapped (70bd4ae)
• move JWT profile specifics outside of generic JWT (fd69d7f)
• removed nonce option from JWT.sign (c4267cc)
• removed deprecated methods and utilities (6c35c51)
• removed payload parsing from JWS.verify (ba5c897)

1.28.0 (2020-08-10)

Features

• support for validating issuer from a list of values (#91) (ce6836a)

1.27.3 (2020-08-04)

Fixes

• do not mutate unencoded payload when signing for multiple parties (1695423), closes #89
• ensure "b64" is the same for all recipients edge cases (d56ec9f)

1.27.2 (2020-07-01)

Fixes

• handle private EC keys without public component (#86) (e8ad389), closes #85

1.27.1 (2020-06-01)

Fixes

• allow any JSON numeric value for timestamp values (7ba4922)

1.27.0 (2020-05-05)

Features

• add opt-in objects to verify using embedded JWS Header public keys (7c1cab1)

1.26.1 (2020-04-27)

Fixes

• typescript: types of key generate functions without overloads (7e60722), closes #80
• "typ" content-type validation, case insensitive and handled prefix (0691586)

1.26.0 (2020-04-16)

Features

• update JWT Profile for OAuth 2.0 Access Tokens to latest draft (8c0a8a9)

BREAKING CHANGES

• at+JWT JWT draft profile - in the draft's Section 2.2 the claims iat and jti are now REQUIRED (was RECOMMENDED).

1.25.2 (2020-04-15)

Fixes

• build: don't publish junk files (6e98c1a)