themarshallproject / klaxon

Klaxon enables reporters and editors to monitor scores of sites on the web for newsworthy changes.
https://newsklaxon.org
MIT License
646 stars 199 forks source link

Bump jwt from 2.2.2 to 2.3.0 #521

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps jwt from 2.2.2 to 2.3.0.

Changelog

Sourced from jwt's changelog.

v2.3.0 (2021-10-03)

Full Changelog

Closed issues:

  • [SECURITY] Algorithm Confusion Through kid Header #440
  • JWT to memory #436
  • ArgumentError: wrong number of arguments (given 2, expected 1) #429
  • HMAC section of README outdated #421
  • NoMethodError: undefined method `zero?' for nil:NilClass if JWT has no 'alg' field #410
  • Release new version #409
  • NameError: uninitialized constant JWT::JWK #403

Merged pull requests:

v2.2.3 (2021-04-19)

Full Changelog

Implemented enhancements:

  • Verify algorithm before evaluating keyfinder #343
  • Why jwt depends on json < 2.0 ? #179
  • Support for JWK in-lieu of rsa_public #158
  • Fix rspec raise_error warning #413 (excpt)
  • Add support for JWKs with HMAC key type. #372 (phlegx)
  • Improve 'none' algorithm handling #365 (danleyden)
  • Handle parsed JSON JWKS input with string keys #348 (martinemde)
  • Allow Numeric values during encoding #327 (fanfilmu)

Closed issues:

... (truncated)

Commits
  • 1fd5b7a Bump version to 2.3.0
  • cf7848c Update AUTHORS
  • 60a89d0 Update CHANGELOG
  • 06812af Fix Style/MultilineIfModifier issues
  • a4270e8 Pass kid param through JWT::JWK.create_from
  • ffad2de feat(EdDSA): Accept EdDSA as algorithm header
  • 1a4e401 fix document about passing JWKs as a simple Hash
  • 744933b Tests for mixing JWK keys with mismatching algorithms
  • 3b4a1ab Fixing some rubocop warnings
  • 97dfc64 integration test for required_claims
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)