What's Changed

Fixes Panic in JWE decryption. See GHSA-78h2-9frx-2jm8

Full Changelog: v4.1.3...v4.1.4

What's Changed

Fixes GHSA-78h2-9frx-2jm8

We recommend migrating from v3 to v4, and we will stop support v3 in the near future.

Full Changelog: v3.0.4...v3.0.5

This release drops Go 1.23 support as that Go release is no longer supported. With that, we can drop x/crypto and no longer have any external dependencies in go-jose outside of the standard library!

This release fixes a bug where a critical b64 header was ignored if in an unprotected header. It is now rejected instead of ignored.

What's Changed

• Remove Go 1.23 support by @mcpherrinm in #205
• Reject JWS with an unprotected critical b64 header by @mcpherrinm in #210

Full Changelog: v4.1.2...v4.1.3

What's Changed

go-jose v4.1.2 improves some documentation, errors, and removes the only 3rd-party dependency.

• Update go-jose documentation by @mcpherrinm in #198
• Remove dependency on testify by @wardviaene in #197
• Improve error message for invalid private keys by @ProjectMutilation in #195
• JWK unsupported error when unmarshalling by @fprojetto in #191
• Add JSONWebKey type to makeJWERecipient by @alvarolivie in #200
• testutils/assert: remove True, Nil, NotNil by @jsha in #202

New Contributors

• @wardviaene made their first contribution in #197
• @fprojetto made their first contribution in #191
• @alvarolivie made their first contribution in #200

Full Changelog: v4.1.1...v4.1.2

What's Changed

• Drop go-cmp dependency by @mcpherrinm in #186
• jws: improve performance and allocations for ParseSignedCompact by @drakkan in #188
• Add missing quote to unknown curve message #170 by @sudhanvaghebbale in #189
• Fix incorrect validation by @ProjectMutilation in #192
• Restore Go 1.23 compatibility by @anuraaga in #193

New Contributors

• @drakkan made their first contribution in #188
• @sudhanvaghebbale made their first contribution in #189
• @ProjectMutilation made their first contribution in #192
• @anuraaga made their first contribution in #193

Full Changelog: v4.1.0...v4.1.1

What's Changed

• Document signatureAlgorithms argument by @tgeoghegan in #163
• Add custom error for unsupported JWS signature algorithms by @beautifulentropy in #181
• use stdlib pbkdf2 package on go 1.24 by @kruskall in #180
• The minimum supported Go version is now 1.24

New Contributors

• @kruskall made their first contribution in #180

Full Changelog: v4.0.5...v4.1.0

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144
#174

Full Changelog: v3.0.3...v3.0.4

What's Changed

• Don't allow unbounded amounts of splits by @mcpherrinm in #167

Fixes GHSA-c6gw-w398-hv78

Various other dependency updates, small fixes, and documentation updates in the full changelog

New Contributors

• @tgeoghegan made their first contribution in #161

Full Changelog: v4.0.4...v4.0.5

Fixed

• Reverted "Allow unmarshalling JSONWebKeySets with unsupported key types" as a breaking change. See #136 / #137.

Changed

• Allow unmarshalling JSONWebKeySets with unsupported key types (#130)
• Document that OpaqueKeyEncrypter can't be implemented (for now) (#129)
• Dependency updates