jose

Fixes

• build: refactor export targets for browser, node cjs, and node esm builds (50cbc65)

Features

• extend JWT NumericDate setter syntax (ae363c3)

Build

• add errors and base64url submodule exports (564412d)

Fixes

• do not mutate JWTVerifyOptions.requiredClaims (1bf9cec), closes #610

Refactor

• deprecate the RSA1_5 JWE Algorithm (f746da1)

Features

• add payload generics to jose.decodeJwt (9de49e2), closes #604

Fixes

• createRemoteJWKSet: ensure a default user-agent header is present (887dd3c), closes #600

Fixes

• also use ES2020 in the CDN bundles (8c4d390)

⚠ BREAKING CHANGES

• Node.js: return Uint8Array (not a Buffer) from base64url.decode
• Browser distribution is now built using ES2020 as a target
• Node.js distribution is now built using ES2022 as a target
• types: jwtVerify and jwtDecrypt type argument for the resolved KeyLike type is now a second optional type argument following a type for the JWT Claims Set (aka payload)
• PBES2 Key Management Algorithms' use in decrypt functions now requires the use of the keyManagementAlgorithms option to explicitly opt-in for their use.
• importJWK "octAsKeyObject" option was removed. importJWK will no longer return CryptoKey or KeyObject for "oct" (octet sequence) JWK key types, it will instead always return a Uint8Array formed from the "k" (Key Value) Parameter regardless of the other JWK Parameters that may be present.
• End-Of-Life versions of Node.js as of October 2023 are no longer supported. Node.js 18, 20, 21, and future releases are the ones that remain supported.
• The JWE "zip" (Compression Algorithm) Header Parameter
  is no longer supported by this JOSE implementation.

Features

• add Date as valid input to timestamp setting functions (bd830a4)
• default to an empty payload in JWT producing constructors (98d6ca1)
• types: add optional Generics for JWT verify and decrypt (61bd2a0), closes #568

Reverts

• Revert "test: fix test under lts/erbium" (b64b6c7)

Refactor

• Browser distribution is now built using ES2020 as a target (1836684)
• drop support for EOL Node.js versions (b5aee54)
• importJWK always returns a Uint8Array for symmetric key inputs (163e1b0)
• Node.js distribution is now built using ES2022 as a target (239697a)
• Node.js: return Uint8Array (not a Buffer) from base64url.decode (02d5182)
• PBES2 Algorithms require explicit opt-in during verification (e2da031)
• remove support for JWE "zip" (Compression Algorithm) Header Parameter (16998b1)
• types: rename type parameters for the KeyLike returns (eddd400)
• update allow list error messages (fe8114c)

Fixes

• types: export GetKeyFunction (#592) (936c9df), closes #591

This release contains only Node.js CITGM related test updates.

Fixes https://github.com/nodejs/citgm/issues/1011

Fixes

• build: add a node target for jose-browser-runtime releases (abb63d0)

Fixes

• resolve missing types for the cryptoRuntime const (1627965)

Features

• export the used crypto runtime as a constant (0681dda)

Fixes

• build: publish bundle and umd files with jose-browser-runtime module (62fcbcc), closes #571

Refactor

• catch type error when decoding base64url signature (#569) (935e920)
• catch type errors when decoding various base64url strings (9024e87)

Refactor

• cleanup NODE-ED25519 workerd workarounds (072e83d)

Reverts

• Revert "fix(types): headers and payloads may only be JSON values and primitives" (06d8101), closes #534

Fixes

• types: headers and payloads may only be JSON values and primitives (24f306e)

This release is to start using provenance statements.