If a key string is provided to the CryptKey constructor with an invalid
passphrase, the LogicException message generated will expose the given key.
The key is no longer leaked via this exception (PR #1353)
8.5.2
Changed
Bumped the versions for laminas/diactoros and psr/http-message to support
PSR-7 v2.0 (PR #1339)
8.5.1
Fixed
Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)
You can now set a leeway for time drift between servers when validating a JWT (PR #1304)
Security
Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
a PKCE downgrade attack (PR #1326)
8.3.6
Fixed
Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
If a key string is provided to the CryptKey constructor with an invalid
passphrase, the LogicException message generated will expose the given key.
The key is no longer leaked via this exception (PR #1353)
[8.5.2] - released 2023-06-16
Changed
Bumped the versions for laminas/diactoros and psr/http-message to support
PSR-7 v2.0 (PR #1339)
[8.5.1] - released 2023-04-04
Fixed
Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)
You can now set a leeway for time drift between servers when validating a JWT (PR #1304)
Security
Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
a PKCE downgrade attack (PR #1326)
[8.3.6] - released 2022-11-14
Fixed
Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/avored/laravel-ecommerce/network/alerts).
Bumps league/oauth2-server from 8.3.5 to 8.5.3.
Release notes
Sourced from league/oauth2-server's releases.
Changelog
Sourced from league/oauth2-server's changelog.
Commits
eb91b41
Update changelog linkscb93a0f
Merge pull request #1353 from Sephster/fix-iss-1351605f6f0
Change wording of changelog20f07b0
Update changelog0143d52
Remove potential key from exception message8ab731e
Update changelog for version 8.5.252638c5
Merge pull request #1339 from erikn69/patch-13b88400
update changelog9a97128
Upgrade laminas/diactoros52fd94d
Merge remote-tracking branch 'upstream/master' into patch-1Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/avored/laravel-ecommerce/network/alerts).