v2.0.9 - 21 Mar 2023
[Security Fixes]
* Updated use of golang.org/x/crypto to v0.7.0
[Bug fixes]
* Emitted PEM file for EC private key types used the wrong PEM armor ([#875](https://github.com/lestrrat-go/jwx/issues/875))
[Miscellaneous]
* Banners for generated files have been modified to allow tools to pick them up ([#867](https://github.com/lestrrat-go/jwx/issues/867))
* Remove unused variables around ReadFileOption ([#866](https://github.com/lestrrat-go/jwx/issues/866))
* Fix test failures
* Support bazel out of the box
* Now you can create JWS messages using `{"alg":"none"}`, by calling `jws.Sign()`
with `jws.WithInsecureNoSignature()` option. ([#888](https://github.com/lestrrat-go/jwx/issues/888), [#890](https://github.com/lestrrat-go/jwx/issues/890)).
Note that there is no way to call
`jws.Verify()` while allowing `{"alg":"none"}` as you wouldn't be _verifying_
the message if we allowed the "none" algorithm. `jws.Parse()` will parse such
messages witout verification.
`jwt` also allows you to sign using alg="none", but there's no symmetrical
way to verify such messages.
Updated use of golang.org/x/crypto to v0.7.0
[Bug fixes]
Emitted PEM file for EC private key types used the wrong PEM armor (#875)
[Miscellaneous]
Banners for generated files have been modified to allow tools to pick them up (#867)
Remove unused variables around ReadFileOption (#866)
Fix test failures
Support bazel out of the box
Now you can create JWS messages using {"alg":"none"}, by calling jws.Sign()
with jws.WithInsecureNoSignature() option. (#888, #890).
Note that there is no way to call
jws.Verify() while allowing {"alg":"none"} as you wouldn't be verifying
the message if we allowed the "none" algorithm. jws.Parse() will parse such
messages witout verification.
jwt also allows you to sign using alg="none", but there's no symmetrical
way to verify such messages.
You can trigger a rebase of this PR by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
> **Note**
> Automatic rebases have been disabled on this pull request as it has been open for over 30 days.
dependabot[bot]
commented
1 year ago
Bumps github.com/lestrrat-go/jwx/v2 from 2.0.8 to 2.0.9.
Release notes
Sourced from github.com/lestrrat-go/jwx/v2's releases.
Changelog
Sourced from github.com/lestrrat-go/jwx/v2's changelog.
Commits
fccc524Update v2 (#894)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)