All notable changes to this project will be documented in this file.
jwt.verifynow requires an
"alg"field signature headers is ignored. This mitigates a critical security flaw in the library which would allow an attacker to generate signatures with arbitrary contents that would be accepted by
jwt.verify. See https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/ for details.
BREAKING: Default payload encoding changed from
utf8 is a is a more sensible default than
binary because many payloads, as far as I can tell, will contain user-facing strings that could be in any language. (
Code reorganization, thanks @fearphage! (
encoding. For those few users that might be depending on a
binaryencoding of the messages, this is for them. (