Changelog
[3.0.0]
jwt.verify
now requires an algorithm
parameter, and
jws.createVerify
requires an algorithm
option. The "alg"
field
signature headers is ignored. This mitigates a critical security flaw
in the library which would allow an attacker to generate signatures with
arbitrary contents that would be accepted by jwt.verify
. See
https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
for details.Changelog
[2.0.0] - 2015-01-30
BREAKING: Default payload encoding changed from binary
to
utf8
. utf8
is a is a more sensible default than binary
because
many payloads, as far as I can tell, will contain user-facing
strings that could be in any language. (<code>[6b6de48]</code>)
Code reorganization, thanks [@fearphage]! (<code>[7880050]</code>)
encoding
. For those few users
that might be depending on a binary
encoding of the messages, this
is for them. (<code>[6b6de48]</code>)