For more detailed release notes, see Changes.
What's Changed
- docs: refresh CONTRIBUTING examples link and branch example by @lestrrat in #2156
- autodoc updates by @github-actions[bot] in #2157
- add dependabot updates for develop/v4 by @lestrrat in #2160
- build(deps): bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in #2161
- build(deps): bump golang.org/x/crypto from 0.49.0 to 0.51.0 by @dependabot[bot] in #2162
- build(deps): bump pozil/auto-assign-issue from 2.2.0 to 3.0.0 by @dependabot[bot] in #2163
- docs: drop dead jwt error helper references by @lestrrat in #2164
- add claude code plugin and supporting docs by @lestrrat in #2165
- tighten companion-bulk skill rules by @lestrrat in #2166
- docs: add claude code skill install instructions by @lestrrat in #2167
- docs: add DeepWiki badge to README by @lestrrat in #2168
- ci: make v4 fuzz workflow actually run by @lestrrat in #2169
- ci: rotate companion fuzz cache via per-run key by @lestrrat in #2170
- docs: explain fuzz template skip-list by @lestrrat in #2171
- build(deps): bump actions/stale from 10.2.0 to 10.3.0 by @dependabot[bot] in #2175
- build(deps): bump golang.org/x/crypto from 0.51.0 to 0.52.0 by @dependabot[bot] in #2181
- build(deps): bump golangci/golangci-lint-action from 9.2.0 to 9.2.1 by @dependabot[bot] in #2182
- build(deps): bump actions/checkout from 6.0.2 to 6.0.3 by @dependabot[bot] in #2185
- build(deps): bump pozil/auto-assign-issue from 3.0.0 to 4.0.0 by @dependabot[bot] in #2186
- docs: warn about anchoring RegexpWhitelist patterns by @lestrrat in #2187
- autodoc updates by @github-actions[bot] in #2188
- build(deps): bump golang.org/x/crypto from 0.52.0 to 0.53.0 by @dependabot[bot] in #2193
- build(deps): bump pozil/auto-assign-issue from 4.0.0 to 4.0.1 by @dependabot[bot] in #2194
- clear pooled error slice before reuse by @lestrrat in #2195
- avoid full-string rune alloc in alg error by @lestrrat in #2196
- release json registry lock before decoder call by @lestrrat in #2197
- compute cbc-hmac aad bit length in uint64 by @lestrrat in #2198
- error on nil curve and oversized d at import by @lestrrat in #2199
- error on unavailable thumbprint hash by @lestrrat in #2200
- handle nil clock and validator in validate by @lestrrat in #2202
- reset private claims on token unmarshal by @lestrrat in #2203
- apply jwt settings only when supplied by @lestrrat in #2204
- validate use field at jwk parse time by @lestrrat in #2205
- document intentional ecdsa high-s acceptance by @lestrrat in #2213
- read jwe zip only from protected header by @lestrrat in #2206
- enforce aead wire tag and iv length on decrypt by @lestrrat in #2207
- require 8-octet minimum pbes2 salt by @lestrrat in #2208
- require empty encrypted_key for direct cek by @lestrrat in #2209
- error on wrong-length ed25519 key by @lestrrat in #2201
- enforce protected alg match in jws verify by @lestrrat in #2212
- document intentional lenient base64 in verify by @lestrrat in #2214
- reject detached payload when payload present by @lestrrat in #2211
- document jwk alg is informational, not validated by @lestrrat in #2215
- document symmetric key length not validated by @lestrrat in #2216
- document rsa private params not validated by @lestrrat in #2217
- note AlgorithmsForKey does not validate key length by @lestrrat in #2222
- document okp public key not bound to scalar by @lestrrat in #2219
- document Chain.Get returns aliased read-only slice by @lestrrat in #2220
- fix WithPedantic doc: typ is not checked by @lestrrat in #2221
- document ec private scalar not bound to point by @lestrrat in #2218
- extend direct-mode empty key guard to ml-kem by @lestrrat in #2223
- add bazel test target for internal/json by @lestrrat in #2224
- build(deps): bump actions/checkout from 6.0.3 to 7.0.0 by @dependabot[bot] in #2227
- build(deps): bump actions/cache from 5.0.5 to 6.0.0 by @dependabot[bot] in #2232
- build(deps): bump actions/setup-go from 6.4.0 to 6.5.0 by @dependabot[bot] in #2233
- fix: reject duplicate JOSE headers on fast path by @lestrrat in #2236
- build(deps): bump actions/cache from 6.0.0 to 6.1.0 by @dependabot[bot] in #2239
- docs: add unreleased Changes entries by @lestrrat in #2240
- chore: run jwkfetch in companion test sweep by @lestrrat in #2244
Full Changelog: v4.0.2...v4.1.0