5.3.0

Release Notes for 5.3.0

This release ships a new validation constraint to assert that a private claim exists.

5.3.0

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Improvement

• 1053: Add constraint to verify the existence of a custom claim thanks to @freebuu

5.2.0

Release Notes for 5.2.0

This release provides an API to ease key rotation procedures and dependency updates.

5.2.0

• Total issues resolved: 0
• Total pull requests resolved: 2
• Total contributors: 1

Improvement

• 1033: Add support to validate against multiple keys thanks to @lcobucci
• 1032: Remove requirement of core PHP extensions thanks to @lcobucci

5.1.0

Release Notes for 5.1.0

This releases compatibility guarantees with PHP 8.3 and adds testing against PHP 8.4-dev.

5.1.0

• Total issues resolved: 1
• Total pull requests resolved: 8
• Total contributors: 4

Dependencies

• 1030: Support PHP 8.3 thanks to @javer

renovate

• 1025: Update all non-major dependencies thanks to @renovate[bot]

• 1017: Update dependency phpstan/phpstan to v1.10.26 thanks to @renovate[bot]

• 1016: Update dependency lcobucci/coding-standard to v11 thanks to @renovate[bot]

• 1006: Lock file maintenance thanks to @renovate[bot]

• 1004: Update all non-major dependencies thanks to @renovate[bot]

• 1010: Fixed naming of assertShouldRaiseExceptionWhenSignatureIsValid() thanks to @rhertogh

Improvement

• 1002: Improve benchmarks thanks to @lcobucci

5.0.0

Release Notes for 5.0.0

This release removes deprecated components, makes PHP 8.1 the minimum required version, and ships some API improvements.

5.0.0

• Total issues resolved: 2
• Total pull requests resolved: 25
• Total contributors: 9

BC-break

• 979: Builder: make it immutable thanks to @Slamdunk
• 939: Remove empty Signer, empty Key, empty Signature, empty strings thanks to @Slamdunk
• 937: Remove \Lcobucci\JWT\Signer\None thanks to @Slamdunk
• 873: Use abstraction instead of concretion thanks to @lcobucci
• 872: Remove deprecated components thanks to @lcobucci
• 871: Require PHP 8.1+ thanks to @lcobucci
• 969: 4.3.x merge up into 5.0.x thanks to @lcobucci

Minor BC-break

• 967: Make testing less painful thanks to @lcobucci

Improvement

• 1001: Support other PSR-20 implementations thanks to @lcobucci
• 977: Builder fluent interface is confusing thanks to @Slamdunk
• 960: Setup Renovate as a replacement for Dependabot thanks to @Ocramius
• 931: Make test assertion more strict thanks to @peter279k
• 880: PHP Version constraint: stick to tested versions only thanks to @Slamdunk

CI

• 1000: Update docs and CI files thanks to @lcobucci
• 999: Use roave/backward-compatibility-check directly thanks to @lcobucci

Dependencies

• 998: Update to PHPUnit 10 thanks to @Slamdunk
• 988: Merge release 4.3.0 into 5.0.x thanks to @github-actions[bot]
• 984: Update dependency phpstan/phpstan to ^1.9.4 thanks to @renovate[bot]
• 906: Bump phpstan/phpdoc-parser from 1.7.0 to 1.8.0 thanks to @dependabot[bot]
• 905: Bump nikic/php-parser from 4.14.0 to 4.15.1 thanks to @dependabot[bot]
• 904: Bump phpstan/phpstan from 1.8.3 to 1.8.5 thanks to @dependabot[bot]
• 902: Bump phpstan/phpstan-strict-rules from 1.4.2 to 1.4.3 thanks to @dependabot[bot]
• 898: Bump phpstan/phpstan from 1.8.2 to 1.8.3 thanks to @dependabot[bot]
• 973: Update all non-major dependencies thanks to @renovate[bot]

Documentation

• 981: [docs] Fix typo in code example comment thanks to @LauLaman
• 909: Clarify Ecdsa\Sha512::expectedKeyLength() thanks to @enumag
• 882: Fix typo: you must create a new token builder thanks to @Slamdunk

4.3.0

Release Notes for 4.3.0

Feature release (minor)

4.3.0

• Total issues resolved: 0
• Total pull requests resolved: 4
• Total contributors: 4

Dependencies,Improvement

• 986: Allow lcobucci/clock:^3.0 to be installed with lcobucci/jwt:^4 thanks to @Ocramius

Improvement,Minor BC-break

• 968: Deprecate Ecdsa create thanks to @lcobucci

Improvement

• 938: Deprecate empty Signer, empty Key and empty Signature thanks to @Slamdunk

Documentation

• 879: fix typo : you must create a new token builder, thanks to @roxie-dev

4.2.1

Release Notes for 4.2.1

This release fixes a documentation mistake.

4.2.1

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Documentation,Minor BC-break

• 874: Make method explicitly internal thanks to @lcobucci

4.2.0

Release Notes for 4.2.0

This release provides a high-level API, a new (non-standard) algorithm, and validation for key length requirements.
The latter is a minor BC-break for users that aren't following the RFC recommendations.

To contain the impact of the changes and give time for people to rotate keys, we have deprecated implementations that maintain the previous behaviour and allow unsafe keys.
For more information, please read the documentation.

4.2.0

• Total issues resolved: 3
• Total pull requests resolved: 15
• Total contributors: 7

Documentation

• 866: Improve documentation thanks to @lcobucci
• 853: Add documentation for JwtFacade thanks to @lcobucci
• 768: Be more clear about adding validation constraints in the doc thanks to @NicolasCARPi
• 725: [docs] Clarify change in date-formats thanks to @jaylinski

Improvement

• 865: Track constraint on violations thanks to @lcobucci
• 836: Key: require non-empty-string for factory methods too thanks to @Slamdunk
• 832: Add Blake2b signature algorithm thanks to @Slamdunk
• 827: Add constraint for private claim validation thanks to @james-bw
• 826: Add withClaim validation for custom claim validation thanks to @james-bw
• 759: Add simplified API thanks to @Slamdunk

Improvement,Minor BC-break,Security

• 864: Fix ecdsa key size validation thanks to @lcobucci
• 855: Require minimum key size for OpenSSL keys thanks to @Slamdunk
• 854: Require minimum key size for RSA keys thanks to @lcobucci
• 835: Require minimum key size for HMAC algorithm thanks to @Slamdunk
• 833: Key: permit empty keys only with ::empty() factory method thanks to @Slamdunk

Security

• 789: Merge release 4.1.5 into 4.2.x thanks to @github-actions[bot]

• 704: Invalid signing with SHA256 alg using secp521r1 curve thanks to @KartaviK

CI

• 657: Migrate to native dependabot thanks to @lcobucci

4.1.5

Release Notes for 4.1.5

This patch ships a minor security fix to prevent misuse of the LocalFileReference key.

More info: GHSA-7322-jrq4-x5hf

4.1.5

• Total issues resolved: 0
• Total pull requests resolved: 1
• Total contributors: 1

Security

• 788: Merge release 4.0.4 into 4.1.x thanks to @github-actions[bot]

4.0.4

Release Notes for 4.0.4

This patch ships a minor security fix to prevent misuse of the LocalFileReference key.

More info: More info: GHSA-7322-jrq4-x5hf

4.0.4

• Total issues resolved: 0
• Total pull requests resolved: 0
• Total contributors: 0

3.4.6

Release Notes for 3.4.6

This patch ships a minor security fix to prevent misuse of the LocalFileReference key.

More info: More info: GHSA-7322-jrq4-x5hf

3.4.6

• Total issues resolved: 1
• Total pull requests resolved: 0
• Total contributors: 3