⚠ BREAKING CHANGES
- the
JWE.decryptoptionalgorithmswas removed and replaced with contentEncryptionAlgorithms (handlesencallowlist) and keyManagementAlgorithms (handlesalgallowlist) - the
JWT.verifyprofile option was removed, use e.g.JWT.IdToken.verifyinstead. - removed the
maxAuthAgeJWT.verifyoption, this option is now only present at the specific JWT profile APIs where the
auth_timeproperty applies. - removed the
nonceJWT.verifyoption, this option is now only present at the specific JWT profile APIs where the
nonceproperty applies. - the
acr,amr,nonceandazpclaim value types will only be checked when verifying a specific JWT profile using its dedicated API. - using the draft implementing APIs will emit a one-time warning per process using
process.emitWarning JWT.signfunction options no longer accept anonceproperty. To create a JWT with anoncejust pass the value to the payload.- due to added ESM module support Node.js version with ESM implementation bugs are no longer supported, this only affects early v13.x versions. The resulting Node.js semver range is
>=10.13.0 < 13 || >=13.7.0 - deprecated method
JWK.importKeywas removed - deprecated method
JWKS.KeyStore.fromJWKSwas removed - the use of unregistered curve name P-256K for secp256k1 was removed
- jose.JWE.Encrypt constructor aad and unprotectedHeader arguments swapped places
- jose.JWE.encrypt.flattened header (unprotectedHeader) and aad arguments swapped places
- jose.JWE.encrypt.general header (unprotectedHeader) and aad arguments swapped places
- JWS.verify returned payloads are now always buffers
- JWS.verify options
encodingandparsewere removed
Features
- added support for ESM (ECMAScript modules) (1aa9035)
- decrypt allowlists for both key management and content encryption (30e5c46)
Bug Fixes
- typescript: allow Buffer when verifying detached signature (cadbd04)
- typescript: properly type all decode/verify/decrypt fn options (4c23bd6)