v3.0.0
Breaking Changes📦 jwt-librariesView on GitHub →
⚠ 8 breaking✨ 3 features🐛 2 fixes🔧 3 symbols
Summary
Version 3.0.0 introduces significant breaking changes focusing on security hardening, stricter standards compliance, and dependency removal. New features include bundled verification methods and improved JWK compatibility.
⚠️ Breaking Changes
- Require token signature to be verified before accessing payload.
- Drop support for the HS512256 algorithm.
- Remove deprecated claim verification methods.
- Remove dependency to rbnacl.
- Support only stricter base64 decoding (RFC 4648).
- Custom algorithms are required to include `JWT::JWA::SigningAlgorithm`.
- Require RSA keys to be at least 2048 bits.
- Base64 encode and decode the k value for HMAC JWKs.
Migration Steps
- Consult the [upgrade guide](UPGRADING.md) for detailed instructions on migrating to v3.0.0.
✨ New Features
- JWT::EncodedToken#verify! method that bundles signature and claim validation.
- Do not override the alg header if already given.
- Make `JWK::KeyFinder` compatible with `JWT::EncodedToken`.
🐛 Bug Fixes
- Ruby 3.4 added to CI matrix.
- Add logger as development dependency.