jsonwebtoken - npm Package Versions

9.0.2 - 2023-08-30

• security: updating semver to 7.5.4 to resolve CVE-2022-25883, closes #921.
• refactor: reduce library size by using lodash specific dependencies, closes #878.

9.0.1 - 2023-07-05

• fix(stubs): allow decode method to be stubbed

9.0.0 - 2022-12-21

Breaking changes: See Migration from v8 to v9

Breaking changes

• Removed support for Node versions 11 and below.
• The verify() function no longer accepts unsigned tokens by default. ([834503079514b72264fd13023a3b8d648afd6a16]https://github.com/auth0/node-jsonwebtoken/commit/834503079514b72264fd13023a3b8d648afd6a16)
• RSA key size must be 2048 bits or greater. ([ecdf6cc6073ea13a7e71df5fad043550f08d0fa6]https://github.com/auth0/node-jsonwebtoken/commit/ecdf6cc6073ea13a7e71df5fad043550f08d0fa6)
• Key types must be valid for the signing / verification algorithm

Security fixes

• security: fixes Arbitrary File Write via verify function - CVE-2022-23529
• security: fixes Insecure default algorithm in jwt.verify() could lead to signature validation bypass - CVE-2022-23540
• security: fixes Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC - CVE-2022-23541
• security: fixes Unrestricted key type could lead to legacy keys usage - CVE-2022-23539

8.5.1 - 2019-03-18

Bug fix

• fix: ensure correct PS signing and verification (#585) (e5874ae428ffc0465e6bd4e660f89f78b56a74a6), closes #585

Docs

• README: fix markdown for algorithms table (84e03ef70f9c44a3aef95a1dc122c8238854f683)

8.5.0 - 2019-02-20

New Functionality

• feat: add PS JWA support for applicable node versions (#573) (eefb9d9c6eec54718fa6e41306bda84788df7bec), closes #573
• Add complete option in jwt.verify (#522) (8737789dd330cf9e7870f4df97fd52479adbac22), closes #522

Test Improvements

• Add tests for private claims in the payload (#555) (5147852896755dc1291825e2e40556f964411fb2), closes #555
• Force use_strict during testing (#577) (7b60c127ceade36c33ff33be066e435802001c94), closes #577
• Refactor tests related to jti and jwtid (#544) (7eebbc75ab89e01af5dacf2aae90fe05a13a1454), closes #544
• ci: remove nsp from tests (#569) (da8f55c3c7b4dd0bfc07a2df228500fdd050242a), closes #569

Docs

• Fix 'cert' token which isn't a cert (#554) (0c24fe68cd2866cea6322016bf993cd897fefc98), closes #554

8.4.0 - 2018-11-14

New Functionality

• Add verify option for nonce validation (#540) (e7938f06fdf2ed3aa88745b72b8ae4ee66c2d0d0), closes #540

Bug Fixes

• Updating Node version in Engines spec in package.json (#528) (cfd1079305170a897dee6a5f55039783e6ee2711), closes #528 #509
• Fixed error message when empty string passed as expiresIn or notBefore option (#531) (7f9604ac98d4d0ff8d873c3d2b2ea64bd285cb76), closes #531

Docs

• Update README.md (#527) (b76f2a80f5229ee5cde321dd2ff14aa5df16d283), closes #527
• Update README.md (#538) (1956c4006472fd285b8a85074257cbdbe9131cbf), closes #538
• Edited the README.md to make certain parts of the document for the api easier to read, emphasizing the examples. (#548) (dc89a641293d42f72ecfc623ce2eabc33954cb9d), closes #548
• Document NotBeforeError (#529) (29cd654b956529e939ae8f8c30b9da7063aad501), closes #529

Test Improvements

• Use lolex for faking date in tests (#491) (677ead6d64482f2067b11437dda07309abe73cfa), closes #491
• Update dependencies used for running tests (#518) (5498bdc4865ffb2ba2fd44d889fad7e83873bb33), closes #518
• Minor test refactoring for recently added tests (#504) (e2860a9d2a412627d79741a95bc7159971b923b9), closes #504
• Create and implement async/sync test helpers (#523) (683d8a9b31ad6327948f84268bd2c8e4350779d1), closes #523
• Refactor tests related to audience and aud (#503) (53d405e0223cce7c83cb51ecf290ca6bec1e9679), closes #503
• Refactor tests related to expiresIn and exp (#501) (72f0d9e5b11a99082250665d1200c58182903fa6), closes #501
• Refactor tests related to iat and maxAge (#507) (877bd57ab2aca9b7d230805b21f921baed3da169), closes #507
• Refactor tests related to iss and issuer (#543) (0906a3fa80f52f959ac1b6343d3024ce5c7e9dea), closes #543
• Refactor tests related to kid and keyid (#545) (88645427a0adb420bd3e149199a2a6bf1e17277e), closes #545
• Refactor tests related to notBefore and nbf (#497) (39adf87a6faef3df984140f88e6724ddd709fd89), closes #497
• Refactor tests related to subject and sub (#505) (5a7fa23c0b4ac6c25304dab8767ef840b43a0eca), closes #505
• Implement async/sync tests for exp claim (#536) (9ae3f207ac64b7450ea0a3434418f5ca58d8125e), closes #536
• Implement async/sync tests for nbf claim (#537) (88bc965061ed65299a395f42a100fb8f8c3c683e), closes #537
• Implement async/sync tests for sub claim (#534) (342b07bb105a35739eb91265ba5b9dd33c300fc6), closes #534
• Implement async/sync tests for the aud claim (#535) (1c8ff5a68e6da73af2809c9d87faaf78602c99bb), closes #535

CI

• Added Istanbul to check test-coverage (#468) (9676a8306428a045e34c3987bd0680fb952b44e3), closes #468
• Complete ESLint conversion and cleanup (#490) (cb1d2e1e40547f7ecf29fa6635041df6cbba7f40), closes #490
• Make code-coverage mandatory when running tests (#495) (fb0084a78535bfea8d0087c0870e7e3614a2cbe5), closes #495

8.3.0 - 2018-06-11

• docs: add some clarifications (#473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #473
• ci: fix ci execution, remove not needed script (#472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #472
• new feature: Secret callback revisited (#480) (d01cc7bcbdeb606d997a580f967b3169fcc622ba), closes #480
• docs:Update README.md (#461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #461

8.2.2 - 2018-05-30

• security: deps: jws@3.1.5 (#477) (ebde9b7cc75cb7ab5176de7ebc4a1d6a8f05bd51), closes #465
• docs: add some clarifications (#473) (cd33cc81f06068b9df6c224d300dc6f70d8904ab), closes #473
• ci: fix ci execution, remove not needed script (#472) (c8ff7b2c3ffcd954a64a0273c20a7d1b22339aa5), closes #472
• docs: Update README.md (#461) (f0e0954505f274da95a8d9603598e455b4d2c894), closes #461

8.2.1 - 2018-04-05

• bug fix: Check payload is not null when decoded. (#444) (1232ae9352ce5fd1ca6c593291ce6ad0834a1ff5)
• docs: Clarify that buffer/string payloads must be JSON (#442) (e8ac1be7565a3fd986d40cb5e31a9f6c4d9aed1b)

8.2.0 - 2018-03-02

• Add a new mutatePayload option (#446) (d6d7c5e5103f05a92d3633ac190d3025a0455be0)