fix(deps): update module github.com/lestrrat-go/jwx/v3 to v3.1.0 #296

2026-04-22T01:01:04Z

renovate commented

2026-04-22 01:01:04 +00:00

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/lestrrat-go/jwx/v3	`v3.0.13` → `v3.1.0`

Release Notes

lestrrat-go/jwx (github.com/lestrrat-go/jwx/v3)

`v3.1.0`

Compare Source

See Changes file for curated list of changes

What's Changed

Appease linter by @lestrrat in #1543
Bump kentaro-m/auto-assign-action from 2.0.0 to 2.0.1 by @dependabot[bot] in #1538
Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #1542
Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #1536
Bump actions/cache from 5.0.1 to 5.0.2 by @dependabot[bot] in #1539
Add AGENTS.md by @lestrrat in #1546
exclude AGENTS.md by @lestrrat in #1548
Bump actions/cache from 5.0.2 to 5.0.3 by @dependabot[bot] in #1545
Bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @dependabot[bot] in #1535
Add symlink by @lestrrat in #1549
Fix jwk.Cache worker issues by @lestrrat in #1552
Exclude CLAUDE.md from autodoc by @lestrrat in #1555
Bump github.com/valyala/fastjson from 1.6.7 to 1.6.9 by @dependabot[bot] in #1561
Bump actions/stale from 10.1.1 to 10.2.0 by @dependabot[bot] in #1559
Bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @dependabot[bot] in #1557
Reduce allocations in concatkdf Read by @lestrrat in #1562
Eliminate redundant lock acquisitions in LookupKeyID by @lestrrat in #1563
Replace make+copy with bytes.Clone by @lestrrat in #1564
Use base64.Encode instead of EncodeToString in JWS marshal by @lestrrat in #1565
Cache keyalg/ctalg String() in JWE encrypt/decrypt by @lestrrat in #1566
Inline ndata() in concatkdf New by @lestrrat in #1567
Fix dependabot workflow by @lestrrat in #1574
Bump github.com/valyala/fastjson from 1.6.9 to 1.6.10 by @dependabot[bot] in #1568
Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.4.0 to 4.4.1 by @dependabot[bot] in #1570
Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /examples by @dependabot[bot] in #1571
Bump actions/setup-go from 6.2.0 to 6.3.0 by @dependabot[bot] in #1573
harden dependabot workflow by @lestrrat in #1575
fix inverted rlocker condition in RSA key export by @lestrrat in #1576
Fix jwe decrypt typo by @lestrrat in #1577
Fix example naming by @lestrrat in #1578
Chore remove unused blank assigns by @lestrrat in #1579
add WhitelistError sentinel, use errors.Is in test by @lestrrat in #1581
standardize error helpers in jws and jwe by @lestrrat in #1582
add fuzz testing infrastructure for jwt/jws/jwe/jwk by @lestrrat in #1583
fix flaky cache and jwt validation tests by @lestrrat in #1585
add .claude/docs and pre-read rules to AGENTS.md by @lestrrat in #1584
Bump golang.org/x/crypto from 0.48.0 to 0.49.0 by @dependabot[bot] in #1587
Bump github.com/emmansun/gmsm from 0.21.5 to 0.41.1 in /examples by @dependabot[bot] in #1590
Bump actions/cache from 5.0.3 to 5.0.4 by @dependabot[bot] in #1593
Bump github.com/goccy/go-json from 0.10.3 to 0.10.6 by @dependabot[bot] in #1589
Bump kentaro-m/auto-assign-action from 2.0.1 to 2.0.2 by @dependabot[bot] in #1595
use standard go deprecation markers in jws by @lestrrat in #1596
fix probe field name in panic message by @lestrrat in #1597
Bump github.com/lestrrat-go/httprc/v3 from 3.0.4 to 3.0.5 by @dependabot[bot] in #1599
Bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #1600
enforce crit header validation in jws.Verify per RFC 7515 by @lestrrat in #1601
validate crit header in VerifyCompactFast by @lestrrat in #1602
fix X25519 ECDH-ES to include apu/apv in KDF by @lestrrat in #1603
enforce minimum PBES2 iteration count by @lestrrat in #1604
reject null JSON values for string claims (#1484) by @lestrrat in #1605
add RFC 9864 fully-specified EdDSA signature algorithms by @lestrrat in #1606
add extension APIs and KeyKind dispatch for external algorithm modules by @lestrrat in #1607
add jwkunsafe package docs and tests by @lestrrat in #1609
delegate custom algorithm registration to dsig by @lestrrat in #1610
autodoc updates by @github-actions[bot] in #1611
pin ed448 module to latest jwx by @lestrrat in #1612
move ed448 to external jwx-circl-ed448 repo by @lestrrat in #1613
autodoc updates by @github-actions[bot] in #1614
pin jwx-circl-ed448 to latest commit by @lestrrat in #1615
update Changes for v3.0.14 by @lestrrat in #1616
use jwk.Import fallback in AlgorithmsForKey by @lestrrat in #1617
fix OKP key export dispatch for Ed448 by @lestrrat in #1618
fix misleading Ed448 dispatch comments in jwsbb by @lestrrat in #1619
add RegisterAlgorithmForCurve, filter AlgorithmsForKey by curve by @lestrrat in #1620
pin jwx-circl-ed448 to ce28e4b in examples by @lestrrat in #1621
add WithMaxFetchBodySize to limit Fetch response body by @lestrrat in #1622
add per-call PBES2 count overrides to jwe.Decrypt by @lestrrat in #1623
fix X509CertChain() to return false when chain is nil by @lestrrat in #1624
fix data race in x509 decoder registry iteration by @lestrrat in #1625
add max key count limit to PEM parsing loop by @lestrrat in #1626
reject negative WithAcceptableSkew in jwt.Validate by @lestrrat in #1627
accept year 0000 in OIDC birthdate per spec by @lestrrat in #1628
update Changes for #1620-#1628 by @lestrrat in #1629
add max input size limit to jwt/jwe ParseReader by @lestrrat in #1630
add global default for MaxFetchBodySize by @lestrrat in #1631
fix parse size limit race, validation, and jws coverage by @lestrrat in #1632
add max recipients limit for JWE messages by @lestrrat in #1633
add default HTTP timeout for jwk.Fetch by @lestrrat in #1634
document jti replay protection as caller responsibility by @lestrrat in #1635
add max signatures limit for JWS messages by @lestrrat in #1636
add default redirect policy for jwk.Fetch by @lestrrat in #1637
add jwk.DefaultHTTPClient by @lestrrat in #1638
check redirect scheme downgrade at every hop by @lestrrat in #1639
apply default redirect policy to jwk.Cache by @lestrrat in #1640
make null string claim rejection opt-in by @lestrrat in #1641
add jwk.WrapHTTPClientDefaults by @lestrrat in #1642
update Changes for #1630-#1640 by @lestrrat in #1643
document WithHTTPClient bypass of defaults by @lestrrat in #1646
use atomic wrappers for global settings by @lestrrat in #1647
reuse shared HTTP client in Cache.Register by @lestrrat in #1648
accept ParseOption in jws.ParseString by @lestrrat in #1650
validate maxSignatures is positive by @lestrrat in #1649
document body size limit approach in jwk.Fetch by @lestrrat in #1651
remove minor entries from Changes by @lestrrat in #1653
make WithStrictStringClaims per-call only by @lestrrat in #1654
add per-call opt-out for crit header validation by @lestrrat in #1655
protect global settings with mutex by @lestrrat in #1656
document WithStrictStringClaims scope to JWT only by @lestrrat in #1657
document WithStrictStringClaims scope includes JWK by @lestrrat in #1658
deep-copy slice fields in generated Set methods by @lestrrat in #1659
zero private key fields on UnmarshalJSON error by @lestrrat in #1660
document x509 validation as out of scope by @lestrrat in #1661
update Changes for #1659 and #1660 by @lestrrat in #1662
fix inconsistent mutex locking in data structures by @lestrrat in #1666
replace intermediate map in MarshalJSON with pair+pool by @lestrrat in #1667
validate algorithm-key compatibility in WithKey by @lestrrat in #1668
reduce allocations in JWE encrypt path by @lestrrat in #1676
Bump golang.org/x/crypto from 0.49.0 to 0.50.0 by @dependabot[bot] in #1684
clean up jws sign/verify code for legibility by @lestrrat in #1687
clean up jws sign/verify key selection code by @lestrrat in #1689
fix dependabot workflow for develop/v2 bazel by @lestrrat in #1691
use squash merge in dependabot workflow by @lestrrat in #1692
remove auto-approve and auto-merge from dependabot workflow by @lestrrat in #1693
scrub full backing array in byte slice pool by @lestrrat in #1729
clear fieldPair list before returning to pool by @lestrrat in #1732
rework jws crit header validation by @lestrrat in #1733
add jwe crit header validation by @lestrrat in #1735
clone per-recipient headers, recycle via headerPool by @lestrrat in #1739
reject ecdh keys in AlgorithmsForKey by @lestrrat in #1741
stop pooling escaping big.Int in buildRSAPublicKey by @lestrrat in #1745
auto-declare b64 crit when WithDetachedPayload is set by @lestrrat in #1748
fail loudly on rand.Reader errors in key gen helpers by @lestrrat in #1751
drop big.Int pool by @lestrrat in #1754
fix race in jwk/ecdsa lookup functions by @lestrrat in #1756
clone protected headers in signatureBuilder.Build by @lestrrat in #1759
fix ValidationCtx extractors panicking on uninitialized contexts by @lestrrat in #1761
docs: note ES256K low-S non-enforcement by @lestrrat in #1763
reject empty ciphertext/iv/tag in jwe.Message.UnmarshalJSON by @lestrrat in #1768
drop unprotected header merge from jwe.Decrypt by @lestrrat in #1770
document VerifyCompactFast b64:true assumption by @lestrrat in #1773
pin unprotected header merge fix with regression test by @lestrrat in #1776
validate AES-CBC IV length in aescbc.Hmac.Open by @lestrrat in #1778
reslice pooled jwe buffers before defer by @lestrrat in #1781
reject sub-minimum input in RFC 3394 keywrap primitives by @lestrrat in #1784
add jwe.WithPBES2Count encrypt option by @lestrrat in #1782
jwe: use privkey.Size() for RSA PKCS1v1.5 length check by @lestrrat in #1788
document default InsecureWhitelist on jwk.Fetch (JWK-001) by @lestrrat in #1790
reject crit-bearing messages in jws.VerifyCompactFast by @lestrrat in #1793
jwe: stop aliasing AAD backing slices when concatenating external aad by @lestrrat in #1796
validate ECDSA point on curve (JWK-003) by @lestrrat in #1797
copy recipientKey in KeyDecryptAESGCMKW to avoid caller aliasing (JWE-002) by @lestrrat in #1800
strip key options in jwt.ParseInsecure by @lestrrat in #1802
Bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in #1795
enforce jws signatures cap before decoding entries by @lestrrat in #1804
cap SplitCompactReader non-finite reads at 10 MiB by @lestrrat in #1806
copy rawKey in symmetricKey.Import to avoid caller aliasing by @lestrrat in #1808
enforce max parse input size in jws.Parse and jwe.Parse by @lestrrat in #1809
fix cert.Chain.Add to strip real PEM markers by @lestrrat in #1814
fix jwk x509 decoder unregister index and race by @lestrrat in #1812
fix jwt fast path json injection via unescaped kid by @lestrrat in #1817
fix nil-aware ok return in jws header accessors by @lestrrat in #1818
fix: jwk.PublicSetOf rejects symmetric keys by default (v3.1.0) by @lestrrat in #1829
autodoc updates by @github-actions[bot] in #1832
fix jwk rsa exponent truncation and thumbprint collision by @lestrrat in #1833
fix cert.Chain MarshalJSON and validate Add input by @lestrrat in #1836
fix jwt fast path json injection via unescaped alg by @lestrrat in #1838
track aes-cbc-hmac tag length independently of key size by @lestrrat in #1841
fix jwe aescbc open opaque errors by @lestrrat in #1843
fix jwe keyset selecting keys without alg field by @lestrrat in #1845
fix jwe ecdh-es invalid-curve attack surface by @lestrrat in #1847
fix jwk.Set.AddKey panic on nil or struct keys by @lestrrat in #1852
fix jwk parser to validate keys after unmarshal by @lestrrat in #1854
wrap underlying error in jwk set single-key fallback by @lestrrat in #1856
fix cmd/jwx output file mode and truncation by @lestrrat in #1858
fix jwt.ParseHeader bearer scheme per rfc 6750 by @lestrrat in #1859
make MissingRequiredClaimError.Is type-only by @lestrrat in #1862
document WithUseNumber concurrency contract as startup-only by @lestrrat in #1864
reject key-bearing options in jwt.ParseInsecure by @lestrrat in #1867
bound jws keyset verification fan-out by header alg by @lestrrat in #1869
add jwk.WithForceAssign to overwrite existing kid by @lestrrat in #1874
tighten HeaderGetStringBytes lifetime doc by @lestrrat in #1876
fix jwxio limited reader detection by @lestrrat in #1877
fix jwa error truncation by @lestrrat in #1880
fix jwa registry snapshots by @lestrrat in #1883
tighten jws validateAlgorithmForKey escape by @lestrrat in #1887
fix jws jku kid-miss silent nil by @lestrrat in #1888
surface jku kid-miss error from jkuProvider by @lestrrat in #1891
fix jws VerifyCompactFast header alg cross-check by @lestrrat in #1893
fix okp key length checks by @lestrrat in #1896
fix jwa builtin protection by @lestrrat in #1899
fix v3 rsa jwk validation by @lestrrat in #1895
fix compact sign errors by @lestrrat in #1902
zero bytes.Buffer backing array on pool return by @lestrrat in #1905
remove internal/json.Dump debug helper by @lestrrat in #1907
fix SplitCompactReader LimitedReader size bypass by @lestrrat in #1909
fix jwe godoc references by @lestrrat in #1911
fix v3 jwt package docs by @lestrrat in #1915
fix v3 jwe cek length checks by @lestrrat in #1918
make x5c cert limits configurable by @lestrrat in #1919
document v3 transform.AsMap aliasing by @lestrrat in #1920
fix v3 ecdsa algorithms snapshot by @lestrrat in #1923
fix jwxio limitedreader bounds by @lestrrat in #1924
warn about jws WithKey misuse in v3 by @lestrrat in #1930
fix v3 jws parse autodetect by @lestrrat in #1927
fix empty compact jws signature by @lestrrat in #1933
fix v3 jwe p2c validation by @lestrrat in #1935
fix v3 jwe gcmkw header typing by @lestrrat in #1939
fix v3 jwe aescbc append by @lestrrat in #1937
document jwe compression caveats by @lestrrat in #1941
warn about jwe rsa1_5 by @lestrrat in #1943
document jwe WithKey pairs in v3 by @lestrrat in #1945
fix PublicSetOf oct bypass in v3 by @lestrrat in #1946
docs: warn about short symmetric keys by @lestrrat in #1949
add jws.WithDetachedPayloadReader for streaming detached payloads by @lestrrat in #1663
jws: return non-nil empty []byte from streaming Verify by @lestrrat in #1979
clarify jwe decrypt unprotected-header scope by @lestrrat in #1983
drop raw input-byte caps from parse apis by @lestrrat in #1985
fix ClaimValueIs panic on non-comparable values by @lestrrat in #1987
clarify EncryptStatic CEK for direct-CEK algs by @lestrrat in #1990
jwk: add WithMaxKeys cap on JWKS entries by @lestrrat in #1991
jws: expand WithDetachedPayloadReader encoder-missing error with install hint by @lestrrat in #1993
jws: document goroutine-safety for WithDetachedPayloadReader by @lestrrat in #1997
jws: explain RFC 8032 EdDSA streaming incompatibility in error message by @lestrrat in #1995
jws: align streaming HMAC key-type error with non-streaming path by @lestrrat in #2000
jwe: fix grammar in ECDH-ES/DIRECT multi-recipient error by @lestrrat in #2002
jws: drop double-wrap on compact parse errors by @lestrrat in #2004
jwt: guard Validate against nil token by @lestrrat in #2007
jws: make jkuProvider surface missing-alg error by @lestrrat in #2009
jws: surface per-key selectKey errors in keySetProvider by @lestrrat in #2011
jws: surface use=enc mismatch as explicit error by @lestrrat in #2013
jwt: stop using dynamic fmt.Errorf format string in ParseRequest by @lestrrat in #2017
jws: document kid precedence on WithProtectedHeaders by @lestrrat in #2024
jwk: add WithRejectDuplicateKID parse option by @lestrrat in #2027
jwk: replace misleading RegisterKeyImporter godoc by @lestrrat in #2029
jwt: wrap unsupported-time-claim error as ValidateError by @lestrrat in #2015
changes: add jwk.WithRejectDuplicateKID entry by @lestrrat in #2033
fix v3.1.0 changelog inaccuracies and add missing entries by @lestrrat in #2037

Full Changelog: https://github.com/lestrrat-go/jwx/compare/v3.0.13...v3.1.0

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [github.com/lestrrat-go/jwx/v3](https://github.com/lestrrat-go/jwx) | `v3.0.13` → `v3.1.0` | ![age](https://developer.mend.io/api/mc/badges/age/go/github.com%2flestrrat-go%2fjwx%2fv3/v3.1.0?slim=true) | ![confidence](https://developer.mend.io/api/mc/badges/confidence/go/github.com%2flestrrat-go%2fjwx%2fv3/v3.0.13/v3.1.0?slim=true) | --- ### Release Notes <details> <summary>lestrrat-go/jwx (github.com/lestrrat-go/jwx/v3)</summary> ### [`v3.1.0`](https://github.com/lestrrat-go/jwx/releases/tag/v3.1.0) [Compare Source](https://github.com/lestrrat-go/jwx/compare/v3.0.13...v3.1.0) See Changes file for curated list of changes #### What's Changed - Appease linter by [@lestrrat](https://github.com/lestrrat) in [#1543](https://github.com/lestrrat-go/jwx/pull/1543) - Bump kentaro-m/auto-assign-action from 2.0.0 to 2.0.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#1538](https://github.com/lestrrat-go/jwx/pull/1538) - Bump actions/checkout from 6.0.1 to 6.0.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#1542](https://github.com/lestrrat-go/jwx/pull/1542) - Bump actions/setup-go from 6.1.0 to 6.2.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1536](https://github.com/lestrrat-go/jwx/pull/1536) - Bump actions/cache from 5.0.1 to 5.0.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#1539](https://github.com/lestrrat-go/jwx/pull/1539) - Add AGENTS.md by [@lestrrat](https://github.com/lestrrat) in [#1546](https://github.com/lestrrat-go/jwx/pull/1546) - exclude AGENTS.md by [@lestrrat](https://github.com/lestrrat) in [#1548](https://github.com/lestrrat-go/jwx/pull/1548) - Bump actions/cache from 5.0.2 to 5.0.3 by [@dependabot](https://github.com/dependabot)\[bot] in [#1545](https://github.com/lestrrat-go/jwx/pull/1545) - Bump golang.org/x/crypto from 0.46.0 to 0.47.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1535](https://github.com/lestrrat-go/jwx/pull/1535) - Add symlink by [@lestrrat](https://github.com/lestrrat) in [#1549](https://github.com/lestrrat-go/jwx/pull/1549) - Fix jwk.Cache worker issues by [@lestrrat](https://github.com/lestrrat) in [#1552](https://github.com/lestrrat-go/jwx/pull/1552) - Exclude CLAUDE.md from autodoc by [@lestrrat](https://github.com/lestrrat) in [#1555](https://github.com/lestrrat-go/jwx/pull/1555) - Bump github.com/valyala/fastjson from 1.6.7 to 1.6.9 by [@dependabot](https://github.com/dependabot)\[bot] in [#1561](https://github.com/lestrrat-go/jwx/pull/1561) - Bump actions/stale from 10.1.1 to 10.2.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1559](https://github.com/lestrrat-go/jwx/pull/1559) - Bump golang.org/x/crypto from 0.47.0 to 0.48.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1557](https://github.com/lestrrat-go/jwx/pull/1557) - Reduce allocations in concatkdf Read by [@lestrrat](https://github.com/lestrrat) in [#1562](https://github.com/lestrrat-go/jwx/pull/1562) - Eliminate redundant lock acquisitions in LookupKeyID by [@lestrrat](https://github.com/lestrrat) in [#1563](https://github.com/lestrrat-go/jwx/pull/1563) - Replace make+copy with bytes.Clone by [@lestrrat](https://github.com/lestrrat) in [#1564](https://github.com/lestrrat-go/jwx/pull/1564) - Use base64.Encode instead of EncodeToString in JWS marshal by [@lestrrat](https://github.com/lestrrat) in [#1565](https://github.com/lestrrat-go/jwx/pull/1565) - Cache keyalg/ctalg String() in JWE encrypt/decrypt by [@lestrrat](https://github.com/lestrrat) in [#1566](https://github.com/lestrrat-go/jwx/pull/1566) - Inline ndata() in concatkdf New by [@lestrrat](https://github.com/lestrrat) in [#1567](https://github.com/lestrrat-go/jwx/pull/1567) - Fix dependabot workflow by [@lestrrat](https://github.com/lestrrat) in [#1574](https://github.com/lestrrat-go/jwx/pull/1574) - Bump github.com/valyala/fastjson from 1.6.9 to 1.6.10 by [@dependabot](https://github.com/dependabot)\[bot] in [#1568](https://github.com/lestrrat-go/jwx/pull/1568) - Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.4.0 to 4.4.1 by [@dependabot](https://github.com/dependabot)\[bot] in [#1570](https://github.com/lestrrat-go/jwx/pull/1570) - Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /examples by [@dependabot](https://github.com/dependabot)\[bot] in [#1571](https://github.com/lestrrat-go/jwx/pull/1571) - Bump actions/setup-go from 6.2.0 to 6.3.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1573](https://github.com/lestrrat-go/jwx/pull/1573) - harden dependabot workflow by [@lestrrat](https://github.com/lestrrat) in [#1575](https://github.com/lestrrat-go/jwx/pull/1575) - fix inverted rlocker condition in RSA key export by [@lestrrat](https://github.com/lestrrat) in [#1576](https://github.com/lestrrat-go/jwx/pull/1576) - Fix jwe decrypt typo by [@lestrrat](https://github.com/lestrrat) in [#1577](https://github.com/lestrrat-go/jwx/pull/1577) - Fix example naming by [@lestrrat](https://github.com/lestrrat) in [#1578](https://github.com/lestrrat-go/jwx/pull/1578) - Chore remove unused blank assigns by [@lestrrat](https://github.com/lestrrat) in [#1579](https://github.com/lestrrat-go/jwx/pull/1579) - add WhitelistError sentinel, use errors.Is in test by [@lestrrat](https://github.com/lestrrat) in [#1581](https://github.com/lestrrat-go/jwx/pull/1581) - standardize error helpers in jws and jwe by [@lestrrat](https://github.com/lestrrat) in [#1582](https://github.com/lestrrat-go/jwx/pull/1582) - add fuzz testing infrastructure for jwt/jws/jwe/jwk by [@lestrrat](https://github.com/lestrrat) in [#1583](https://github.com/lestrrat-go/jwx/pull/1583) - fix flaky cache and jwt validation tests by [@lestrrat](https://github.com/lestrrat) in [#1585](https://github.com/lestrrat-go/jwx/pull/1585) - add .claude/docs and pre-read rules to AGENTS.md by [@lestrrat](https://github.com/lestrrat) in [#1584](https://github.com/lestrrat-go/jwx/pull/1584) - Bump golang.org/x/crypto from 0.48.0 to 0.49.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1587](https://github.com/lestrrat-go/jwx/pull/1587) - Bump github.com/emmansun/gmsm from 0.21.5 to 0.41.1 in /examples by [@dependabot](https://github.com/dependabot)\[bot] in [#1590](https://github.com/lestrrat-go/jwx/pull/1590) - Bump actions/cache from 5.0.3 to 5.0.4 by [@dependabot](https://github.com/dependabot)\[bot] in [#1593](https://github.com/lestrrat-go/jwx/pull/1593) - Bump github.com/goccy/go-json from 0.10.3 to 0.10.6 by [@dependabot](https://github.com/dependabot)\[bot] in [#1589](https://github.com/lestrrat-go/jwx/pull/1589) - Bump kentaro-m/auto-assign-action from 2.0.1 to 2.0.2 by [@dependabot](https://github.com/dependabot)\[bot] in [#1595](https://github.com/lestrrat-go/jwx/pull/1595) - use standard go deprecation markers in jws by [@lestrrat](https://github.com/lestrrat) in [#1596](https://github.com/lestrrat-go/jwx/pull/1596) - fix probe field name in panic message by [@lestrrat](https://github.com/lestrrat) in [#1597](https://github.com/lestrrat-go/jwx/pull/1597) - Bump github.com/lestrrat-go/httprc/v3 from 3.0.4 to 3.0.5 by [@dependabot](https://github.com/dependabot)\[bot] in [#1599](https://github.com/lestrrat-go/jwx/pull/1599) - Bump actions/setup-go from 6.3.0 to 6.4.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1600](https://github.com/lestrrat-go/jwx/pull/1600) - enforce crit header validation in jws.Verify per RFC 7515 by [@lestrrat](https://github.com/lestrrat) in [#1601](https://github.com/lestrrat-go/jwx/pull/1601) - validate crit header in VerifyCompactFast by [@lestrrat](https://github.com/lestrrat) in [#1602](https://github.com/lestrrat-go/jwx/pull/1602) - fix X25519 ECDH-ES to include apu/apv in KDF by [@lestrrat](https://github.com/lestrrat) in [#1603](https://github.com/lestrrat-go/jwx/pull/1603) - enforce minimum PBES2 iteration count by [@lestrrat](https://github.com/lestrrat) in [#1604](https://github.com/lestrrat-go/jwx/pull/1604) - reject null JSON values for string claims ([#1484](https://github.com/lestrrat-go/jwx/issues/1484)) by [@lestrrat](https://github.com/lestrrat) in [#1605](https://github.com/lestrrat-go/jwx/pull/1605) - add RFC 9864 fully-specified EdDSA signature algorithms by [@lestrrat](https://github.com/lestrrat) in [#1606](https://github.com/lestrrat-go/jwx/pull/1606) - add extension APIs and KeyKind dispatch for external algorithm modules by [@lestrrat](https://github.com/lestrrat) in [#1607](https://github.com/lestrrat-go/jwx/pull/1607) - add jwkunsafe package docs and tests by [@lestrrat](https://github.com/lestrrat) in [#1609](https://github.com/lestrrat-go/jwx/pull/1609) - delegate custom algorithm registration to dsig by [@lestrrat](https://github.com/lestrrat) in [#1610](https://github.com/lestrrat-go/jwx/pull/1610) - autodoc updates by [@github-actions](https://github.com/github-actions)\[bot] in [#1611](https://github.com/lestrrat-go/jwx/pull/1611) - pin ed448 module to latest jwx by [@lestrrat](https://github.com/lestrrat) in [#1612](https://github.com/lestrrat-go/jwx/pull/1612) - move ed448 to external jwx-circl-ed448 repo by [@lestrrat](https://github.com/lestrrat) in [#1613](https://github.com/lestrrat-go/jwx/pull/1613) - autodoc updates by [@github-actions](https://github.com/github-actions)\[bot] in [#1614](https://github.com/lestrrat-go/jwx/pull/1614) - pin jwx-circl-ed448 to latest commit by [@lestrrat](https://github.com/lestrrat) in [#1615](https://github.com/lestrrat-go/jwx/pull/1615) - update Changes for v3.0.14 by [@lestrrat](https://github.com/lestrrat) in [#1616](https://github.com/lestrrat-go/jwx/pull/1616) - use jwk.Import fallback in AlgorithmsForKey by [@lestrrat](https://github.com/lestrrat) in [#1617](https://github.com/lestrrat-go/jwx/pull/1617) - fix OKP key export dispatch for Ed448 by [@lestrrat](https://github.com/lestrrat) in [#1618](https://github.com/lestrrat-go/jwx/pull/1618) - fix misleading Ed448 dispatch comments in jwsbb by [@lestrrat](https://github.com/lestrrat) in [#1619](https://github.com/lestrrat-go/jwx/pull/1619) - add RegisterAlgorithmForCurve, filter AlgorithmsForKey by curve by [@lestrrat](https://github.com/lestrrat) in [#1620](https://github.com/lestrrat-go/jwx/pull/1620) - pin jwx-circl-ed448 to [`ce28e4b`](https://github.com/lestrrat-go/jwx/commit/ce28e4bb) in examples by [@lestrrat](https://github.com/lestrrat) in [#1621](https://github.com/lestrrat-go/jwx/pull/1621) - add WithMaxFetchBodySize to limit Fetch response body by [@lestrrat](https://github.com/lestrrat) in [#1622](https://github.com/lestrrat-go/jwx/pull/1622) - add per-call PBES2 count overrides to jwe.Decrypt by [@lestrrat](https://github.com/lestrrat) in [#1623](https://github.com/lestrrat-go/jwx/pull/1623) - fix X509CertChain() to return false when chain is nil by [@lestrrat](https://github.com/lestrrat) in [#1624](https://github.com/lestrrat-go/jwx/pull/1624) - fix data race in x509 decoder registry iteration by [@lestrrat](https://github.com/lestrrat) in [#1625](https://github.com/lestrrat-go/jwx/pull/1625) - add max key count limit to PEM parsing loop by [@lestrrat](https://github.com/lestrrat) in [#1626](https://github.com/lestrrat-go/jwx/pull/1626) - reject negative WithAcceptableSkew in jwt.Validate by [@lestrrat](https://github.com/lestrrat) in [#1627](https://github.com/lestrrat-go/jwx/pull/1627) - accept year 0000 in OIDC birthdate per spec by [@lestrrat](https://github.com/lestrrat) in [#1628](https://github.com/lestrrat-go/jwx/pull/1628) - update Changes for [#1620](https://github.com/lestrrat-go/jwx/issues/1620)-[#1628](https://github.com/lestrrat-go/jwx/issues/1628) by [@lestrrat](https://github.com/lestrrat) in [#1629](https://github.com/lestrrat-go/jwx/pull/1629) - add max input size limit to jwt/jwe ParseReader by [@lestrrat](https://github.com/lestrrat) in [#1630](https://github.com/lestrrat-go/jwx/pull/1630) - add global default for MaxFetchBodySize by [@lestrrat](https://github.com/lestrrat) in [#1631](https://github.com/lestrrat-go/jwx/pull/1631) - fix parse size limit race, validation, and jws coverage by [@lestrrat](https://github.com/lestrrat) in [#1632](https://github.com/lestrrat-go/jwx/pull/1632) - add max recipients limit for JWE messages by [@lestrrat](https://github.com/lestrrat) in [#1633](https://github.com/lestrrat-go/jwx/pull/1633) - add default HTTP timeout for jwk.Fetch by [@lestrrat](https://github.com/lestrrat) in [#1634](https://github.com/lestrrat-go/jwx/pull/1634) - document jti replay protection as caller responsibility by [@lestrrat](https://github.com/lestrrat) in [#1635](https://github.com/lestrrat-go/jwx/pull/1635) - add max signatures limit for JWS messages by [@lestrrat](https://github.com/lestrrat) in [#1636](https://github.com/lestrrat-go/jwx/pull/1636) - add default redirect policy for jwk.Fetch by [@lestrrat](https://github.com/lestrrat) in [#1637](https://github.com/lestrrat-go/jwx/pull/1637) - add jwk.DefaultHTTPClient by [@lestrrat](https://github.com/lestrrat) in [#1638](https://github.com/lestrrat-go/jwx/pull/1638) - check redirect scheme downgrade at every hop by [@lestrrat](https://github.com/lestrrat) in [#1639](https://github.com/lestrrat-go/jwx/pull/1639) - apply default redirect policy to jwk.Cache by [@lestrrat](https://github.com/lestrrat) in [#1640](https://github.com/lestrrat-go/jwx/pull/1640) - make null string claim rejection opt-in by [@lestrrat](https://github.com/lestrrat) in [#1641](https://github.com/lestrrat-go/jwx/pull/1641) - add jwk.WrapHTTPClientDefaults by [@lestrrat](https://github.com/lestrrat) in [#1642](https://github.com/lestrrat-go/jwx/pull/1642) - update Changes for [#1630](https://github.com/lestrrat-go/jwx/issues/1630)-[#1640](https://github.com/lestrrat-go/jwx/issues/1640) by [@lestrrat](https://github.com/lestrrat) in [#1643](https://github.com/lestrrat-go/jwx/pull/1643) - document WithHTTPClient bypass of defaults by [@lestrrat](https://github.com/lestrrat) in [#1646](https://github.com/lestrrat-go/jwx/pull/1646) - use atomic wrappers for global settings by [@lestrrat](https://github.com/lestrrat) in [#1647](https://github.com/lestrrat-go/jwx/pull/1647) - reuse shared HTTP client in Cache.Register by [@lestrrat](https://github.com/lestrrat) in [#1648](https://github.com/lestrrat-go/jwx/pull/1648) - accept ParseOption in jws.ParseString by [@lestrrat](https://github.com/lestrrat) in [#1650](https://github.com/lestrrat-go/jwx/pull/1650) - validate maxSignatures is positive by [@lestrrat](https://github.com/lestrrat) in [#1649](https://github.com/lestrrat-go/jwx/pull/1649) - document body size limit approach in jwk.Fetch by [@lestrrat](https://github.com/lestrrat) in [#1651](https://github.com/lestrrat-go/jwx/pull/1651) - remove minor entries from Changes by [@lestrrat](https://github.com/lestrrat) in [#1653](https://github.com/lestrrat-go/jwx/pull/1653) - make WithStrictStringClaims per-call only by [@lestrrat](https://github.com/lestrrat) in [#1654](https://github.com/lestrrat-go/jwx/pull/1654) - add per-call opt-out for crit header validation by [@lestrrat](https://github.com/lestrrat) in [#1655](https://github.com/lestrrat-go/jwx/pull/1655) - protect global settings with mutex by [@lestrrat](https://github.com/lestrrat) in [#1656](https://github.com/lestrrat-go/jwx/pull/1656) - document WithStrictStringClaims scope to JWT only by [@lestrrat](https://github.com/lestrrat) in [#1657](https://github.com/lestrrat-go/jwx/pull/1657) - document WithStrictStringClaims scope includes JWK by [@lestrrat](https://github.com/lestrrat) in [#1658](https://github.com/lestrrat-go/jwx/pull/1658) - deep-copy slice fields in generated Set methods by [@lestrrat](https://github.com/lestrrat) in [#1659](https://github.com/lestrrat-go/jwx/pull/1659) - zero private key fields on UnmarshalJSON error by [@lestrrat](https://github.com/lestrrat) in [#1660](https://github.com/lestrrat-go/jwx/pull/1660) - document x509 validation as out of scope by [@lestrrat](https://github.com/lestrrat) in [#1661](https://github.com/lestrrat-go/jwx/pull/1661) - update Changes for [#1659](https://github.com/lestrrat-go/jwx/issues/1659) and [#1660](https://github.com/lestrrat-go/jwx/issues/1660) by [@lestrrat](https://github.com/lestrrat) in [#1662](https://github.com/lestrrat-go/jwx/pull/1662) - fix inconsistent mutex locking in data structures by [@lestrrat](https://github.com/lestrrat) in [#1666](https://github.com/lestrrat-go/jwx/pull/1666) - replace intermediate map in MarshalJSON with pair+pool by [@lestrrat](https://github.com/lestrrat) in [#1667](https://github.com/lestrrat-go/jwx/pull/1667) - validate algorithm-key compatibility in WithKey by [@lestrrat](https://github.com/lestrrat) in [#1668](https://github.com/lestrrat-go/jwx/pull/1668) - reduce allocations in JWE encrypt path by [@lestrrat](https://github.com/lestrrat) in [#1676](https://github.com/lestrrat-go/jwx/pull/1676) - Bump golang.org/x/crypto from 0.49.0 to 0.50.0 by [@dependabot](https://github.com/dependabot)\[bot] in [#1684](https://github.com/lestrrat-go/jwx/pull/1684) - clean up jws sign/verify code for legibility by [@lestrrat](https://github.com/lestrrat) in [#1687](https://github.com/lestrrat-go/jwx/pull/1687) - clean up jws sign/verify key selection code by [@lestrrat](https://github.com/lestrrat) in [#1689](https://github.com/lestrrat-go/jwx/pull/1689) - fix dependabot workflow for develop/v2 bazel by [@lestrrat](https://github.com/lestrrat) in [#1691](https://github.com/lestrrat-go/jwx/pull/1691) - use squash merge in dependabot workflow by [@lestrrat](https://github.com/lestrrat) in [#1692](https://github.com/lestrrat-go/jwx/pull/1692) - remove auto-approve and auto-merge from dependabot workflow by [@lestrrat](https://github.com/lestrrat) in [#1693](https://github.com/lestrrat-go/jwx/pull/1693) - scrub full backing array in byte slice pool by [@lestrrat](https://github.com/lestrrat) in [#1729](https://github.com/lestrrat-go/jwx/pull/1729) - clear fieldPair list before returning to pool by [@lestrrat](https://github.com/lestrrat) in [#1732](https://github.com/lestrrat-go/jwx/pull/1732) - rework jws crit header validation by [@lestrrat](https://github.com/lestrrat) in [#1733](https://github.com/lestrrat-go/jwx/pull/1733) - add jwe crit header validation by [@lestrrat](https://github.com/lestrrat) in [#1735](https://github.com/lestrrat-go/jwx/pull/1735) - clone per-recipient headers, recycle via headerPool by [@lestrrat](https://github.com/lestrrat) in [#1739](https://github.com/lestrrat-go/jwx/pull/1739) - reject ecdh keys in AlgorithmsForKey by [@lestrrat](https://github.com/lestrrat) in [#1741](https://github.com/lestrrat-go/jwx/pull/1741) - stop pooling escaping big.Int in buildRSAPublicKey by [@lestrrat](https://github.com/lestrrat) in [#1745](https://github.com/lestrrat-go/jwx/pull/1745) - auto-declare b64 crit when WithDetachedPayload is set by [@lestrrat](https://github.com/lestrrat) in [#1748](https://github.com/lestrrat-go/jwx/pull/1748) - fail loudly on rand.Reader errors in key gen helpers by [@lestrrat](https://github.com/lestrrat) in [#1751](https://github.com/lestrrat-go/jwx/pull/1751) - drop big.Int pool by [@lestrrat](https://github.com/lestrrat) in [#1754](https://github.com/lestrrat-go/jwx/pull/1754) - fix race in jwk/ecdsa lookup functions by [@lestrrat](https://github.com/lestrrat) in [#1756](https://github.com/lestrrat-go/jwx/pull/1756) - clone protected headers in signatureBuilder.Build by [@lestrrat](https://github.com/lestrrat) in [#1759](https://github.com/lestrrat-go/jwx/pull/1759) - fix ValidationCtx extractors panicking on uninitialized contexts by [@lestrrat](https://github.com/lestrrat) in [#1761](https://github.com/lestrrat-go/jwx/pull/1761) - docs: note ES256K low-S non-enforcement by [@lestrrat](https://github.com/lestrrat) in [#1763](https://github.com/lestrrat-go/jwx/pull/1763) - reject empty ciphertext/iv/tag in jwe.Message.UnmarshalJSON by [@lestrrat](https://github.com/lestrrat) in [#1768](https://github.com/lestrrat-go/jwx/pull/1768) - drop unprotected header merge from jwe.Decrypt by [@lestrrat](https://github.com/lestrrat) in [#1770](https://github.com/lestrrat-go/jwx/pull/1770) - document VerifyCompactFast b64:true assumption by [@lestrrat](https://github.com/lestrrat) in [#1773](https://github.com/lestrrat-go/jwx/pull/1773) - pin unprotected header merge fix with regression test by [@lestrrat](https://github.com/lestrrat) in [#1776](https://github.com/lestrrat-go/jwx/pull/1776) - validate AES-CBC IV length in aescbc.Hmac.Open by [@lestrrat](https://github.com/lestrrat) in [#1778](https://github.com/lestrrat-go/jwx/pull/1778) - reslice pooled jwe buffers before defer by [@lestrrat](https://github.com/lestrrat) in [#1781](https://github.com/lestrrat-go/jwx/pull/1781) - reject sub-minimum input in RFC 3394 keywrap primitives by [@lestrrat](https://github.com/lestrrat) in [#1784](https://github.com/lestrrat-go/jwx/pull/1784) - add jwe.WithPBES2Count encrypt option by [@lestrrat](https://github.com/lestrrat) in [#1782](https://github.com/lestrrat-go/jwx/pull/1782) - jwe: use privkey.Size() for RSA PKCS1v1.5 length check by [@lestrrat](https://github.com/lestrrat) in [#1788](https://github.com/lestrrat-go/jwx/pull/1788) - document default InsecureWhitelist on jwk.Fetch (JWK-001) by [@lestrrat](https://github.com/lestrrat) in [#1790](https://github.com/lestrrat-go/jwx/pull/1790) - reject crit-bearing messages in jws.VerifyCompactFast by [@lestrrat](https://github.com/lestrrat) in [#1793](https://github.com/lestrrat-go/jwx/pull/1793) - jwe: stop aliasing AAD backing slices when concatenating external aad by [@lestrrat](https://github.com/lestrrat) in [#1796](https://github.com/lestrrat-go/jwx/pull/1796) - validate ECDSA point on curve (JWK-003) by [@lestrrat](https://github.com/lestrrat) in [#1797](https://github.com/lestrrat-go/jwx/pull/1797) - copy recipientKey in KeyDecryptAESGCMKW to avoid caller aliasing (JWE-002) by [@lestrrat](https://github.com/lestrrat) in [#1800](https://github.com/lestrrat-go/jwx/pull/1800) - strip key options in jwt.ParseInsecure by [@lestrrat](https://github.com/lestrrat) in [#1802](https://github.com/lestrrat-go/jwx/pull/1802) - Bump actions/cache from 5.0.4 to 5.0.5 by [@dependabot](https://github.com/dependabot)\[bot] in [#1795](https://github.com/lestrrat-go/jwx/pull/1795) - enforce jws signatures cap before decoding entries by [@lestrrat](https://github.com/lestrrat) in [#1804](https://github.com/lestrrat-go/jwx/pull/1804) - cap SplitCompactReader non-finite reads at 10 MiB by [@lestrrat](https://github.com/lestrrat) in [#1806](https://github.com/lestrrat-go/jwx/pull/1806) - copy rawKey in symmetricKey.Import to avoid caller aliasing by [@lestrrat](https://github.com/lestrrat) in [#1808](https://github.com/lestrrat-go/jwx/pull/1808) - enforce max parse input size in jws.Parse and jwe.Parse by [@lestrrat](https://github.com/lestrrat) in [#1809](https://github.com/lestrrat-go/jwx/pull/1809) - fix cert.Chain.Add to strip real PEM markers by [@lestrrat](https://github.com/lestrrat) in [#1814](https://github.com/lestrrat-go/jwx/pull/1814) - fix jwk x509 decoder unregister index and race by [@lestrrat](https://github.com/lestrrat) in [#1812](https://github.com/lestrrat-go/jwx/pull/1812) - fix jwt fast path json injection via unescaped kid by [@lestrrat](https://github.com/lestrrat) in [#1817](https://github.com/lestrrat-go/jwx/pull/1817) - fix nil-aware ok return in jws header accessors by [@lestrrat](https://github.com/lestrrat) in [#1818](https://github.com/lestrrat-go/jwx/pull/1818) - fix: jwk.PublicSetOf rejects symmetric keys by default (v3.1.0) by [@lestrrat](https://github.com/lestrrat) in [#1829](https://github.com/lestrrat-go/jwx/pull/1829) - autodoc updates by [@github-actions](https://github.com/github-actions)\[bot] in [#1832](https://github.com/lestrrat-go/jwx/pull/1832) - fix jwk rsa exponent truncation and thumbprint collision by [@lestrrat](https://github.com/lestrrat) in [#1833](https://github.com/lestrrat-go/jwx/pull/1833) - fix cert.Chain MarshalJSON and validate Add input by [@lestrrat](https://github.com/lestrrat) in [#1836](https://github.com/lestrrat-go/jwx/pull/1836) - fix jwt fast path json injection via unescaped alg by [@lestrrat](https://github.com/lestrrat) in [#1838](https://github.com/lestrrat-go/jwx/pull/1838) - track aes-cbc-hmac tag length independently of key size by [@lestrrat](https://github.com/lestrrat) in [#1841](https://github.com/lestrrat-go/jwx/pull/1841) - fix jwe aescbc open opaque errors by [@lestrrat](https://github.com/lestrrat) in [#1843](https://github.com/lestrrat-go/jwx/pull/1843) - fix jwe keyset selecting keys without alg field by [@lestrrat](https://github.com/lestrrat) in [#1845](https://github.com/lestrrat-go/jwx/pull/1845) - fix jwe ecdh-es invalid-curve attack surface by [@lestrrat](https://github.com/lestrrat) in [#1847](https://github.com/lestrrat-go/jwx/pull/1847) - fix jwk.Set.AddKey panic on nil or struct keys by [@lestrrat](https://github.com/lestrrat) in [#1852](https://github.com/lestrrat-go/jwx/pull/1852) - fix jwk parser to validate keys after unmarshal by [@lestrrat](https://github.com/lestrrat) in [#1854](https://github.com/lestrrat-go/jwx/pull/1854) - wrap underlying error in jwk set single-key fallback by [@lestrrat](https://github.com/lestrrat) in [#1856](https://github.com/lestrrat-go/jwx/pull/1856) - fix cmd/jwx output file mode and truncation by [@lestrrat](https://github.com/lestrrat) in [#1858](https://github.com/lestrrat-go/jwx/pull/1858) - fix jwt.ParseHeader bearer scheme per rfc 6750 by [@lestrrat](https://github.com/lestrrat) in [#1859](https://github.com/lestrrat-go/jwx/pull/1859) - make MissingRequiredClaimError.Is type-only by [@lestrrat](https://github.com/lestrrat) in [#1862](https://github.com/lestrrat-go/jwx/pull/1862) - document WithUseNumber concurrency contract as startup-only by [@lestrrat](https://github.com/lestrrat) in [#1864](https://github.com/lestrrat-go/jwx/pull/1864) - reject key-bearing options in jwt.ParseInsecure by [@lestrrat](https://github.com/lestrrat) in [#1867](https://github.com/lestrrat-go/jwx/pull/1867) - bound jws keyset verification fan-out by header alg by [@lestrrat](https://github.com/lestrrat) in [#1869](https://github.com/lestrrat-go/jwx/pull/1869) - add jwk.WithForceAssign to overwrite existing kid by [@lestrrat](https://github.com/lestrrat) in [#1874](https://github.com/lestrrat-go/jwx/pull/1874) - tighten HeaderGetStringBytes lifetime doc by [@lestrrat](https://github.com/lestrrat) in [#1876](https://github.com/lestrrat-go/jwx/pull/1876) - fix jwxio limited reader detection by [@lestrrat](https://github.com/lestrrat) in [#1877](https://github.com/lestrrat-go/jwx/pull/1877) - fix jwa error truncation by [@lestrrat](https://github.com/lestrrat) in [#1880](https://github.com/lestrrat-go/jwx/pull/1880) - fix jwa registry snapshots by [@lestrrat](https://github.com/lestrrat) in [#1883](https://github.com/lestrrat-go/jwx/pull/1883) - tighten jws validateAlgorithmForKey escape by [@lestrrat](https://github.com/lestrrat) in [#1887](https://github.com/lestrrat-go/jwx/pull/1887) - fix jws jku kid-miss silent nil by [@lestrrat](https://github.com/lestrrat) in [#1888](https://github.com/lestrrat-go/jwx/pull/1888) - surface jku kid-miss error from jkuProvider by [@lestrrat](https://github.com/lestrrat) in [#1891](https://github.com/lestrrat-go/jwx/pull/1891) - fix jws VerifyCompactFast header alg cross-check by [@lestrrat](https://github.com/lestrrat) in [#1893](https://github.com/lestrrat-go/jwx/pull/1893) - fix okp key length checks by [@lestrrat](https://github.com/lestrrat) in [#1896](https://github.com/lestrrat-go/jwx/pull/1896) - fix jwa builtin protection by [@lestrrat](https://github.com/lestrrat) in [#1899](https://github.com/lestrrat-go/jwx/pull/1899) - fix v3 rsa jwk validation by [@lestrrat](https://github.com/lestrrat) in [#1895](https://github.com/lestrrat-go/jwx/pull/1895) - fix compact sign errors by [@lestrrat](https://github.com/lestrrat) in [#1902](https://github.com/lestrrat-go/jwx/pull/1902) - zero bytes.Buffer backing array on pool return by [@lestrrat](https://github.com/lestrrat) in [#1905](https://github.com/lestrrat-go/jwx/pull/1905) - remove internal/json.Dump debug helper by [@lestrrat](https://github.com/lestrrat) in [#1907](https://github.com/lestrrat-go/jwx/pull/1907) - fix SplitCompactReader LimitedReader size bypass by [@lestrrat](https://github.com/lestrrat) in [#1909](https://github.com/lestrrat-go/jwx/pull/1909) - fix jwe godoc references by [@lestrrat](https://github.com/lestrrat) in [#1911](https://github.com/lestrrat-go/jwx/pull/1911) - fix v3 jwt package docs by [@lestrrat](https://github.com/lestrrat) in [#1915](https://github.com/lestrrat-go/jwx/pull/1915) - fix v3 jwe cek length checks by [@lestrrat](https://github.com/lestrrat) in [#1918](https://github.com/lestrrat-go/jwx/pull/1918) - make x5c cert limits configurable by [@lestrrat](https://github.com/lestrrat) in [#1919](https://github.com/lestrrat-go/jwx/pull/1919) - document v3 transform.AsMap aliasing by [@lestrrat](https://github.com/lestrrat) in [#1920](https://github.com/lestrrat-go/jwx/pull/1920) - fix v3 ecdsa algorithms snapshot by [@lestrrat](https://github.com/lestrrat) in [#1923](https://github.com/lestrrat-go/jwx/pull/1923) - fix jwxio limitedreader bounds by [@lestrrat](https://github.com/lestrrat) in [#1924](https://github.com/lestrrat-go/jwx/pull/1924) - warn about jws WithKey misuse in v3 by [@lestrrat](https://github.com/lestrrat) in [#1930](https://github.com/lestrrat-go/jwx/pull/1930) - fix v3 jws parse autodetect by [@lestrrat](https://github.com/lestrrat) in [#1927](https://github.com/lestrrat-go/jwx/pull/1927) - fix empty compact jws signature by [@lestrrat](https://github.com/lestrrat) in [#1933](https://github.com/lestrrat-go/jwx/pull/1933) - fix v3 jwe p2c validation by [@lestrrat](https://github.com/lestrrat) in [#1935](https://github.com/lestrrat-go/jwx/pull/1935) - fix v3 jwe gcmkw header typing by [@lestrrat](https://github.com/lestrrat) in [#1939](https://github.com/lestrrat-go/jwx/pull/1939) - fix v3 jwe aescbc append by [@lestrrat](https://github.com/lestrrat) in [#1937](https://github.com/lestrrat-go/jwx/pull/1937) - document jwe compression caveats by [@lestrrat](https://github.com/lestrrat) in [#1941](https://github.com/lestrrat-go/jwx/pull/1941) - warn about jwe rsa1\_5 by [@lestrrat](https://github.com/lestrrat) in [#1943](https://github.com/lestrrat-go/jwx/pull/1943) - document jwe WithKey pairs in v3 by [@lestrrat](https://github.com/lestrrat) in [#1945](https://github.com/lestrrat-go/jwx/pull/1945) - fix PublicSetOf oct bypass in v3 by [@lestrrat](https://github.com/lestrrat) in [#1946](https://github.com/lestrrat-go/jwx/pull/1946) - docs: warn about short symmetric keys by [@lestrrat](https://github.com/lestrrat) in [#1949](https://github.com/lestrrat-go/jwx/pull/1949) - add jws.WithDetachedPayloadReader for streaming detached payloads by [@lestrrat](https://github.com/lestrrat) in [#1663](https://github.com/lestrrat-go/jwx/pull/1663) - jws: return non-nil empty \[]byte from streaming Verify by [@lestrrat](https://github.com/lestrrat) in [#1979](https://github.com/lestrrat-go/jwx/pull/1979) - clarify jwe decrypt unprotected-header scope by [@lestrrat](https://github.com/lestrrat) in [#1983](https://github.com/lestrrat-go/jwx/pull/1983) - drop raw input-byte caps from parse apis by [@lestrrat](https://github.com/lestrrat) in [#1985](https://github.com/lestrrat-go/jwx/pull/1985) - fix ClaimValueIs panic on non-comparable values by [@lestrrat](https://github.com/lestrrat) in [#1987](https://github.com/lestrrat-go/jwx/pull/1987) - clarify EncryptStatic CEK for direct-CEK algs by [@lestrrat](https://github.com/lestrrat) in [#1990](https://github.com/lestrrat-go/jwx/pull/1990) - jwk: add WithMaxKeys cap on JWKS entries by [@lestrrat](https://github.com/lestrrat) in [#1991](https://github.com/lestrrat-go/jwx/pull/1991) - jws: expand WithDetachedPayloadReader encoder-missing error with install hint by [@lestrrat](https://github.com/lestrrat) in [#1993](https://github.com/lestrrat-go/jwx/pull/1993) - jws: document goroutine-safety for WithDetachedPayloadReader by [@lestrrat](https://github.com/lestrrat) in [#1997](https://github.com/lestrrat-go/jwx/pull/1997) - jws: explain RFC 8032 EdDSA streaming incompatibility in error message by [@lestrrat](https://github.com/lestrrat) in [#1995](https://github.com/lestrrat-go/jwx/pull/1995) - jws: align streaming HMAC key-type error with non-streaming path by [@lestrrat](https://github.com/lestrrat) in [#2000](https://github.com/lestrrat-go/jwx/pull/2000) - jwe: fix grammar in ECDH-ES/DIRECT multi-recipient error by [@lestrrat](https://github.com/lestrrat) in [#2002](https://github.com/lestrrat-go/jwx/pull/2002) - jws: drop double-wrap on compact parse errors by [@lestrrat](https://github.com/lestrrat) in [#2004](https://github.com/lestrrat-go/jwx/pull/2004) - jwt: guard Validate against nil token by [@lestrrat](https://github.com/lestrrat) in [#2007](https://github.com/lestrrat-go/jwx/pull/2007) - jws: make jkuProvider surface missing-alg error by [@lestrrat](https://github.com/lestrrat) in [#2009](https://github.com/lestrrat-go/jwx/pull/2009) - jws: surface per-key selectKey errors in keySetProvider by [@lestrrat](https://github.com/lestrrat) in [#2011](https://github.com/lestrrat-go/jwx/pull/2011) - jws: surface use=enc mismatch as explicit error by [@lestrrat](https://github.com/lestrrat) in [#2013](https://github.com/lestrrat-go/jwx/pull/2013) - jwt: stop using dynamic fmt.Errorf format string in ParseRequest by [@lestrrat](https://github.com/lestrrat) in [#2017](https://github.com/lestrrat-go/jwx/pull/2017) - jws: document kid precedence on WithProtectedHeaders by [@lestrrat](https://github.com/lestrrat) in [#2024](https://github.com/lestrrat-go/jwx/pull/2024) - jwk: add WithRejectDuplicateKID parse option by [@lestrrat](https://github.com/lestrrat) in [#2027](https://github.com/lestrrat-go/jwx/pull/2027) - jwk: replace misleading RegisterKeyImporter godoc by [@lestrrat](https://github.com/lestrrat) in [#2029](https://github.com/lestrrat-go/jwx/pull/2029) - jwt: wrap unsupported-time-claim error as ValidateError by [@lestrrat](https://github.com/lestrrat) in [#2015](https://github.com/lestrrat-go/jwx/pull/2015) - changes: add jwk.WithRejectDuplicateKID entry by [@lestrrat](https://github.com/lestrrat) in [#2033](https://github.com/lestrrat-go/jwx/pull/2033) - fix v3.1.0 changelog inaccuracies and add missing entries by [@lestrrat](https://github.com/lestrrat) in [#2037](https://github.com/lestrrat-go/jwx/pull/2037) **Full Changelog**: <https://github.com/lestrrat-go/jwx/compare/v3.0.13...v3.1.0> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate added 1 commit 2026-04-22 01:01:06 +00:00

fix(deps): update module github.com/lestrrat-go/jwx/v3 to v3.1.0

renovate/stability-days Updates have met minimum release age requirement

Details

auth0mock / build (pull_request) Successful in 1m29s

Details

d4bb818a21

renovate scheduled this pull request to auto merge when all checks succeed 2026-04-22 01:01:07 +00:00

renovate merged commit 32c6895802 into main

2026-04-22 01:06:28 +00:00

renovate deleted branch renovate/github.com-lestrrat-go-jwx-v3-3.x

2026-04-22 01:06:29 +00:00