authorizationParams no longer requires nonce for response_type=token
issuer's auth signing algs presence is now asserted if client is missing the relevant metadata property
unintended (client|issuer).metadata[property] reassignment is no longer possible
refreshed encrypted ID Tokens are now properly decrypted
userinfo_endpoint presence on an issuer is now asserted during userinfo function call
PBES2 symmetric encryption and decryption now correctly uses the client_secret value rather then its SHA digest
Accept header is now correctly set for all requests
clients configured to receive signed and/or encrypted userinfo endpoints will now correctly reject a response that isn't proper application/jwt

Features

Typed Errors - openid-client now has unique errors for HTTP transport related errors, OP/AS returned errors and RP(client-side) assertions.
common configuration issues are now gracefully handled. I feel like many developers may be setting properties like redirect_uri or response_type on a client instance. I sympathize and openid-client will now take these common mistakes and accomodate.
QoL #client.authorizationParams() will now attempt to resolve the redirect_uri and response_type from your client's metadata. If there's only one listed, it will be used automatically. If there's more, you must continue providing it explicitly.
per-request http request options helper function HTTP request options can now be modified on a per request basis for the different classes or their instances. This now allows each request's options to be altered on-demand with e.g. client mutual-TLS certificates or implementing work arounds for specific AS quirks.
mutual-TLS client authentication is now supported through the above mentioned helper for both client-authentication and proof-of-possession purposes.
custom request bodies Where the above per-request helper falls short is providing extra token endpoint exchange parameters like resource to authorization code or refresh token exchange, you can now pass those in the actual client methods.
custom client assertion payloads You can now pass extra claims to the client authenticated calls e.g. token, introspect, revoke.
request objects are now set to be one-time use Generated Request Objects are secure by default they include iat, exp and jti claims so that OPs have a way to make them one-time use depending on their policy.
EdDSA support OKP JSON Web Keys and EdDSA signing and verification is now supported.

BREAKING CHANGES

openid-client now uses @panva/jose for all things JOSE. As a result of this the minimum required node version is v12.0.0 and the client will now only function in node.js environments.
Issuer.defaultHttpOptions getter and setter were removed. See documentation customization section for its replacement.
client.CLOCK_TOLERANCE client property was removed. See documentation customization section for its replacement.
client.authorizationCallback() has been renamed to client.callback()
tokenset.claims getter is now a function tokenset.claims()
useRequest and useGot methods were removed, with the maintenance mode and inevitable deprecation of the request module i've decided to only support got as an http request library.
Instead of passing jose library keystore instances with private keys the API now expects a JWKS formatted object. keystore options argument properties are now called just jwks.
response_type=code is no longer defaulted to in #client.authorizationUrl() if your client instance has multiple response_types members.
Strict === equality operator is now used for assertions, while unlikely the breaking change is that should some ID Token claims be correct values but incorrect type, these will start failing now.
#client.revoke() no longer returns or in any way processes the response body as per spec requirements.
All http(s) responses are now strictly checked for the expected http response status code.
All http(s) requests now assert that an absolute URL is being requested.
Passport Strategy will now fail when userinfo is requested via the verify callback arity but no access token is returned from the OP.