chore(deps): bump jws by dependabot[bot] · Pull Request #90 · angular-hispano/angular-docs-es

dependabot · 2025-12-04T18:02:53Z

Bumps and jws. These dependencies needed to be updated together.
Updates jws from 4.0.0 to 4.0.1

Release notes

v4.0.1

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

Code reorganization, thanks [@fearphage]! (7880050)

Added

Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

34c45b2 Merge commit from fork
49bc39b version 4.0.1
d42350c Enhance tests for HMAC streaming sign and verify
5cb007c Improve secretOrKey initialization in VerifyStream
f9a2e1c Improve secret handling in SignStream
b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
95b75ee Upload OpsLevel YAML
8857ee7 test: remove unused variable (#96)
See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Updates jws from 3.2.2 to 3.2.3

Release notes

Sourced from jws's releases.

v4.0.1

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, addressing a compatibility issue for Node >= 25.

Changelog

Sourced from jws's changelog.

[4.0.1]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 2.0.1, adressing a compatibility issue for Node >= 25.

[3.2.3]

Changed

Fix advisory GHSA-869p-cjfg-cm3x: createSign and createVerify now require that a non empty secret is provided (via opts.secret, opts.privateKey or opts.key) when using HMAC algorithms.

Upgrading JWA version to 1.4.2, adressing a compatibility issue for Node >= 25.

[3.0.0]

Changed

BREAKING: jwt.verify now requires an algorithm parameter, and jws.createVerify requires an algorithm option. The "alg" field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.

2.0.0 - 2015-01-30

Changed

BREAKING: Default payload encoding changed from binary to utf8. utf8 is a is a more sensible default than binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. ([6b6de48])

Code reorganization, thanks [@fearphage]! (7880050)

Added

Option in all relevant methods for encoding. For those few users that might be depending on a binary encoding of the messages, this is for them. ([6b6de48])

... (truncated)

Commits

34c45b2 Merge commit from fork
49bc39b version 4.0.1
d42350c Enhance tests for HMAC streaming sign and verify
5cb007c Improve secretOrKey initialization in VerifyStream
f9a2e1c Improve secret handling in SignStream
b9fb8d3 Merge pull request #102 from auth0/SRE-57-Upload-opslevel-yaml
95b75ee Upload OpsLevel YAML
8857ee7 test: remove unused variable (#96)
See full diff in compare view

Maintainer changes

This version was pushed to npm by julien.wollscheid, a new releaser for jws since your current version.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Splaktar · 2026-01-09T20:15:52Z

@dependabot rebase

Splaktar · 2026-05-19T23:32:45Z

@dependabot rebase

Bumps and [jws](https://github.com/brianloveswords/node-jws). These dependencies needed to be updated together. Updates `jws` from 4.0.0 to 4.0.1 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v4.0.0...v4.0.1) Updates `jws` from 3.2.2 to 3.2.3 - [Release notes](https://github.com/brianloveswords/node-jws/releases) - [Changelog](https://github.com/auth0/node-jws/blob/master/CHANGELOG.md) - [Commits](auth0/node-jws@v4.0.0...v4.0.1) --- updated-dependencies: - dependency-name: jws dependency-version: 3.2.3 dependency-type: indirect - dependency-name: jws dependency-version: 4.0.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 4, 2025

dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-d0f6e8601e branch from 831b65b to af101b9 Compare January 9, 2026 20:16

dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-d0f6e8601e branch from af101b9 to c9c0370 Compare May 19, 2026 23:33

Splaktar approved these changes May 19, 2026

View reviewed changes

Splaktar merged commit e213692 into main May 19, 2026
4 checks passed

Splaktar deleted the dependabot/npm_and_yarn/multi-d0f6e8601e branch May 19, 2026 23:59

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump jws#90

chore(deps): bump jws#90
Splaktar merged 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-d0f6e8601e

dependabot Bot commented on behalf of github Dec 4, 2025 •

edited

Loading

Uh oh!

Splaktar commented Jan 9, 2026

Uh oh!

Splaktar commented May 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Dec 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v4.0.1

Changed

[4.0.1]

Changed

[3.2.3]

Changed

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

Added

v4.0.1

Changed

[4.0.1]

Changed

[3.2.3]

Changed

[3.0.0]

Changed

2.0.0 - 2015-01-30

Changed

Added

Uh oh!

Splaktar commented Jan 9, 2026

Uh oh!

Splaktar commented May 19, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Dec 4, 2025 •

edited

Loading