Releases: lestrrat-go/jwx
Releases · lestrrat-go/jwx
v4.0.1
What's Changed
- docs: add jwxfilter to extension modules doc by @lestrrat in #2041
- autodoc updates by @github-actions[bot] in #2042
- docs: fix broken v3-to-v4.yaml link in Changes-v4.md by @lestrrat in #2048
- guard ecdsa coordinates against oversized big.Int by @lestrrat in #2049
- reject jwe with conflicting alg in protected vs per-recipient by @lestrrat in #2051
- autodoc updates by @github-actions[bot] in #2053
- docs: document PrivateClaims concurrency contract by @lestrrat in #2055
- fix AddressClaim.MarshalJSON for non-printable bytes by @lestrrat in #2054
- jwt: only call ParseForm when WithFormKey is supplied by @lestrrat in #2057
- jws: jkuProvider rejects fetched keys marked use=enc by @lestrrat in #2059
- jwk: refuse RegisterKeyImporter for built-in raw key types by @lestrrat in #2061
- jwa: unify SignatureAlgorithm/KeyEncryption/ContentEncryption into one registry by @lestrrat in #2062
- docs: jwkbb X509 registry is a privileged extension point by @lestrrat in #2067
- docs(internals): record Settings unknown-option handling as design intent by @lestrrat in #2068
- cmd/jwx: warn on private-key-to-tty + reject keysize<=0 for oct by @lestrrat in #2070
- autodoc updates by @github-actions[bot] in #2069
- fix jwxmigrate install path in MIGRATION.md by @lestrrat in #2076
Full Changelog: v4.0.0...v4.0.1
Contributors
lestrrat
Assets 2
v4.0.0
Changes
v4 has many incompatibilities with v3. To see the full list of differences between
v3 and v4, please read the Changes-v4.md file. Coding Agents should read MIGRATION.md
v4.0.0 - 19 Apr 2026
- Initial v4 release. Major features:
- Lighter: Core / Companion module separation. Less dependencies in core.
- Faster: Use of generics and other optimizations make v4 2x~3x faster than before.
- Quantum-Ready: ML-KEM and ML-DSA, HPKE (+Hybrid) are supported through companion modules.
- See Changes-v4.md for a full set of Changes since v3.
v3.1.0
See Changes file for curated list of changes
What's Changed
- Appease linter by @lestrrat in #1543
- Bump kentaro-m/auto-assign-action from 2.0.0 to 2.0.1 by @dependabot[bot] in #1538
- Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #1542
- Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #1536
- Bump actions/cache from 5.0.1 to 5.0.2 by @dependabot[bot] in #1539
- Add AGENTS.md by @lestrrat in #1546
- exclude AGENTS.md by @lestrrat in #1548
- Bump actions/cache from 5.0.2 to 5.0.3 by @dependabot[bot] in #1545
- Bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @dependabot[bot] in #1535
- Add symlink by @lestrrat in #1549
- Fix jwk.Cache worker issues by @lestrrat in #1552
- Exclude CLAUDE.md from autodoc by @lestrrat in #1555
- Bump github.com/valyala/fastjson from 1.6.7 to 1.6.9 by @dependabot[bot] in #1561
- Bump actions/stale from 10.1.1 to 10.2.0 by @dependabot[bot] in #1559
- Bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in #1557
- Reduce allocations in concatkdf Read by @lestrrat in #1562
- Eliminate redundant lock acquisitions in LookupKeyID by @lestrrat in #1563
- Replace make+copy with bytes.Clone by @lestrrat in #1564
- Use base64.Encode instead of EncodeToString in JWS marshal by @lestrrat in #1565
- Cache keyalg/ctalg String() in JWE encrypt/decrypt by @lestrrat in #1566
- Inline ndata() in concatkdf New by @lestrrat in #1567
- Fix dependabot workflow by @lestrrat in #1574
- Bump github.com/valyala/fastjson from 1.6.9 to 1.6.10 by @dependabot[bot] in #1568
- Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.4.0 to 4.4.1 by @dependabot[bot] in #1570
- Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /examples by @dependabot[bot] in #1571
- Bump actions/setup-go from 6.2.0 to 6.3.0 by @dependabot[bot] in #1573
- harden dependabot workflow by @lestrrat in #1575
- fix inverted rlocker condition in RSA key export by @lestrrat in #1576
- Fix jwe decrypt typo by @lestrrat in #1577
- Fix example naming by @lestrrat in #1578
- Chore remove unused blank assigns by @lestrrat in #1579
- add WhitelistError sentinel, use errors.Is in test by @lestrrat in #1581
- standardize error helpers in jws and jwe by @lestrrat in #1582
- add fuzz testing infrastructure for jwt/jws/jwe/jwk by @lestrrat in #1583
- fix flaky cache and jwt validation tests by @lestrrat in #1585
- add .claude/docs and pre-read rules to AGENTS.md by @lestrrat in #1584
- Bump golang.org/x/crypto from 0.48.0 to 0.49.0 by @dependabot[bot] in #1587
- Bump github.com/emmansun/gmsm from 0.21.5 to 0.41.1 in /examples by @dependabot[bot] in #1590
- Bump actions/cache from 5.0.3 to 5.0.4 by @dependabot[bot] in #1593
- Bump github.com/goccy/go-json from 0.10.3 to 0.10.6 by @dependabot[bot] in #1589
- Bump kentaro-m/auto-assign-action from 2.0.1 to 2.0.2 by @dependabot[bot] in #1595
- use standard go deprecation markers in jws by @lestrrat in #1596
- fix probe field name in panic message by @lestrrat in #1597
- Bump github.com/lestrrat-go/httprc/v3 from 3.0.4 to 3.0.5 by @dependabot[bot] in #1599
- Bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #1600
- enforce crit header validation in jws.Verify per RFC 7515 by @lestrrat in #1601
- validate crit header in VerifyCompactFast by @lestrrat in #1602
- fix X25519 ECDH-ES to include apu/apv in KDF by @lestrrat in #1603
- enforce minimum PBES2 iteration count by @lestrrat in #1604
- reject null JSON values for string claims (#1484) by @lestrrat in #1605
- add RFC 9864 fully-specified EdDSA signature algorithms by @lestrrat in #1606
- add extension APIs and KeyKind dispatch for external algorithm modules by @lestrrat in #1607
- add jwkunsafe package docs and tests by @lestrrat in #1609
- delegate custom algorithm registration to dsig by @lestrrat in #1610
- autodoc updates by @github-actions[bot] in #1611
- pin ed448 module to latest jwx by @lestrrat in #1612
- move ed448 to external jwx-circl-ed448 repo by @lestrrat in #1613
- autodoc updates by @github-actions[bot] in #1614
- pin jwx-circl-ed448 to latest commit by @lestrrat in #1615
- update Changes for v3.0.14 by @lestrrat in #1616
- use jwk.Import fallback in AlgorithmsForKey by @lestrrat in #1617
- fix OKP key export dispatch for Ed448 by @lestrrat in #1618
- fix misleading Ed448 dispatch comments in jwsbb by @lestrrat in #1619
- add RegisterAlgorithmForCurve, filter AlgorithmsForKey by curve by @lestrrat in #1620
- pin jwx-circl-ed448 to ce28e4bb in examples by @lestrrat in #1621
- add WithMaxFetchBodySize to limit Fetch response body by @lestrrat in #1622
- add per-call PBES2 count overrides to jwe.Decrypt by @lestrrat in #1623
- fix X509CertChain() to return false when chain is nil by @lestrrat in #1624
- fix data race in x509 decoder registry iteration by @lestrrat in #1625
- add max key count limit to PEM parsing loop by @lestrrat in #1626
- reject negative WithAcceptableSkew in jwt.Validate by @lestrrat in #1627
- accept year 0000 in OIDC birthdate per spec by @lestrrat in #1628
- update Changes for #1620-#1628 by @lestrrat in #1629
- add max input size limit to jwt/jwe ParseReader by @lestrrat in #1630
- add global default for MaxFetchBodySize by @lestrrat in #1631
- fix parse size limit race, validation, and jws coverage by @lestrrat in #1632
- add max recipients limit for JWE messages by @lestrrat in #1633
- add default HTTP timeout for jwk.Fetch by @lestrrat in #1634
- document jti replay protection as caller responsibility by @lestrrat in #1635
- add max signatures limit for JWS messages by @lestrrat in #1636
- add default redirect policy for jwk.Fetch by @lestrrat in #1637
- add jwk.DefaultHTTPClient by @lestrrat in #1638
- check redirect scheme downgrade at every hop by @lestrrat in #1639
- apply default redirect policy to jwk.Cache by @lestrrat in #1640
- make null string claim rejection opt-in by @lestrrat in #1641
- add jwk.WrapHTTPClientDefaults by @lestrrat in #1642
- update Changes for #1630-#1640 by @lestrrat in #1643
- document WithHTTPClient bypass of defaults by @lestrrat in #1646
- use atomic wrappers for global settings by @lestrrat in #1647
- reuse shared HTTP client in Cache.Register by @lestrrat in #1648
- accept ParseOption in jws.ParseString by @lestrrat in #1650
- validate maxSignatures is positive by @lestrrat in #1649
- do...
Contributors
lestrrat and dependabot
Assets 2
v3.0.13
What's Changed
- Pass value of WithContext to jws.Verify by @lestrrat in #1483
- Bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 by @dependabot[bot] in #1490
- Bump actions/checkout from 5.0.0 to 5.0.1 by @dependabot[bot] in #1494
- Bump actions/setup-go from 6.0.0 to 6.1.0 by @dependabot[bot] in #1500
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @dependabot[bot] in #1499
- Bump golang.org/x/crypto from 0.39.0 to 0.45.0 in /cmd/jwx by @dependabot[bot] in #1495
- Bump actions/checkout from 5.0.1 to 6.0.0 by @dependabot[bot] in #1504
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools/cmd/genoptions by @dependabot[bot] in #1502
- Bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 by @dependabot[bot] in #1506
- Fix document for (jwk.Set).LookupKeyID by @lestrrat in #1508
- Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools/cmd/genjwt by @dependabot[bot] in #1509
- Bump actions/stale from 10.1.0 to 10.1.1 by @dependabot[bot] in #1514
- Bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 by @dependabot[bot] in #1515
- Bump actions/checkout from 6.0.0 to 6.0.1 by @dependabot[bot] in #1516
- Update httprc by @lestrrat in #1518
- Bump actions/cache from 4.3.0 to 5.0.1 by @dependabot[bot] in #1525
- Appease linter (v2.7.2) by @lestrrat in #1526
- Bump golang.org/x/crypto from 0.45.0 to 0.46.0 by @dependabot[bot] in #1520
- Add permissions by @lestrrat in #1528
- Bump github.com/valyala/fastjson from 1.6.4 to 1.6.7 by @dependabot[bot] in #1524
- Fix Clone() by @lestrrat in #1530
Full Changelog: v3.0.12...v3.0.13
Contributors
lestrrat and dependabot
Assets 2
v3.0.12
What's Changed
- Change go.mod version requirements to go 1.24.0 and introduce toolchain directive by @henrymcconville in #1465
- Use go.mod for go version in Bazel module by @henrymcconville in #1466
- Enable legacy signers by default, and explicitly populate new signer instances by @lestrrat in #1460
- autodoc updates by @github-actions[bot] in #1475
- Fix
godoclintissues by @babakks in #1469 - Bump actions/cache from 4.2.4 to 4.3.0 by @dependabot[bot] in #1463
- Bump actions/stale from 10.0.0 to 10.1.0 by @dependabot[bot] in #1468
- Bump github.com/segmentio/asm from 1.2.0 to 1.2.1 by @dependabot[bot] in #1462
- Bump github/codeql-action from 3 to 4 by @dependabot[bot] in #1472
- Bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @dependabot[bot] in #1474
- revive godoclint by @lestrrat in #1478
- [jwe] Add option to explicitly clear per-recipient headers (
"header") for flattened JSON serialization by @lestrrat in #1477 - autodoc updates by @github-actions[bot] in #1480
New Contributors
- @henrymcconville made their first contribution in #1465
- @babakks made their first contribution in #1469
Full Changelog: v3.0.11...v3.0.12
Contributors
lestrrat, henrymcconville, and 2 other contributors
Assets 2
v3.0.11
What's Changed
- Bump actions/cache from 4.2.3 to 4.2.4 by @dependabot[bot] in #1438
- Bump golang.org/x/crypto from 0.40.0 to 0.41.0 by @dependabot[bot] in #1436
- [jwe] Work with non X25519 ECDH encryption by @lestrrat in #1442
- Bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in #1440
- Separate out signature generation / verification into its own framework by @lestrrat in #1439
- Bump github.com/lestrrat-go/httprc/v3 from 3.0.0 to 3.0.1 by @dependabot[bot] in #1443
- Bump actions/stale from 9.1.0 to 10.0.0 by @dependabot[bot] in #1451
- Bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @dependabot[bot] in #1447
- Bump golang.org/x/crypto from 0.41.0 to 0.42.0 by @dependabot[bot] in #1456
- Bump actions/setup-go from 5.5.0 to 6.0.0 by @dependabot[bot] in #1449
- Warh40k fix/connection leak by @lestrrat in #1458
- Allow shutting down jwk cache by @adam-bates in #1457
New Contributors
- @adam-bates made their first contribution in #1457
Full Changelog: v3.0.10...v3.0.11
Contributors
lestrrat, adam-bates, and dependabot
Assets 2
v3.0.10
Contributors
lestrrat
Assets 2
v3.0.9
What's Changed
- [jwk] Implement X509 related code in jwkbb by @lestrrat in #1423
- Tweak error message by @lestrrat in #1424
- [jwt] implement distinguishable jwt.Get errors by @lestrrat in #1426
- Update bazel to v8 by @lestrrat in #1429
- Bump golang.org/x/crypto from 0.39.0 to 0.40.0 by @dependabot[bot] in #1428
- Allow HeaderGetXXX() functions to differentiate not found / invalid headers by @lestrrat in #1432
Full Changelog: v3.0.8...v3.0.9
Contributors
lestrrat and dependabot
Assets 2
v3.0.8
What's Changed
- change from interface{} to any by @lestrrat in #1417
- autodoc updates by @github-actions in #1418
- Introduce jwe lower level API (jwebb), and refactor a bunch of things. by @lestrrat in #1419
- [jws/jwsbb] Add io.Reader for source of randomness by @lestrrat in #1420
- Add package level doc for jwe by @lestrrat in #1421
- Add jwsbb.HeaderParse by @lestrrat in #1422
Full Changelog: v3.0.7...v3.0.8
Contributors
lestrrat
Assets 2
v3.0.7
What's Changed
- Update examples by @lestrrat in #1412
- autodoc updates by @github-actions in #1413
- Add error when signature could not be verified by @lestrrat in #1414
- Add Header type for quick and dirty access to JWS headers by @lestrrat in #1415
- Refactor jwsbb code by @lestrrat in #1416
Full Changelog: v3.0.6...v3.0.7
Contributors
lestrrat