chore(deps): update security updates (major)

[NumaryBot]

This PR contains the following updates:

Package	Type	Update	Change
github.com/alitto/pond	require	major	v1.9.2 -> v2.7.0
github.com/formancehq/go-libs/v2	require	major	v2.2.3 -> v4.1.1
github.com/lestrrat-go/jwx	indirect	major	v1.2.30 -> v3.0.13
github.com/lestrrat-go/option	indirect	major	v1.0.1 -> v2.0.0
github.com/lithammer/shortuuid/v3	indirect	major	v3.0.7 -> v4.2.0
github.com/oklog/ulid	indirect	major	v1.3.1 -> v2.1.1
go.yaml.in/yaml/v2	indirect	major	v2.4.3 -> v3.0.4
gopkg.in/evanphx/json-patch.v4	indirect	major	v4.13.0 -> v5.9.11

---

Release Notes

alitto/pond (github.com/alitto/pond)

v2.7.0

Compare Source

What's Changed

• fix(group): prevent deadlock in Wait() when context is cancelled and task queue is not empty by @​alitto in https://github.com/alitto/pond/pull/139. Thanks @​Vyom-Yadav 🙌

Full Changelog: alitto/pond@v2.6.2...v2.7.0

v2.6.2

Compare Source

What's Changed

• fix(pool): ensure pool recovers after runtime.Goexit() by @​alitto in https://github.com/alitto/pond/pull/137
• Run tests against the latest versions of go (1.24 and 1.25)

Full Changelog: alitto/pond@v2.6.1...v2.6.2

v2.6.1

Compare Source

What's Changed

• fix(stop-and-wait): fix(stop-and-wait): handle call to runtime.Goexit() in task in https://github.com/alitto/pond/pull/122 (fixes https://github.com/alitto/pond/issues/135)

Full Changelog: alitto/pond@v2.6.0...v2.6.1

v2.6.0

Compare Source

What's Changed

• chore(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] inhttps://github.com/alitto/pond/pull/1311
• feat(disable-queue): Allow disabling task queue by setting it to 0 by @​alitto in https://github.com/alitto/pond/pull/132 (Thanks @​korotin 🙌)
• feat(optional-panic-recovery): Add option to disable panic recovery by @​alitto in https://github.com/alitto/pond/pull/133 (Thanks @​snichols 🙌)

Breaking Changes

• Setting the queue size option to zero (0) via WithQueueSize(0) now disables the task queue altogether (all task submissions block until a worker becomes available unless the pool is set to non-blocking mode). Before this change, setting queue size to 0 would cause the queue to be unbounded. Pools are still unbounded by default, but now there's a constant that can be used to set queue size to unbounded explicitly. E.g. pond.NewPool(10, pond.WithQueueSize(pond.Unbounded)).

Full Changelog: alitto/pond@v2.5.0...v2.6.0

v2.5.0

Compare Source

What's Changed

• chore(future): rename Result interface to be consistent by @​tech-voker in https://github.com/alitto/pond/pull/122

New Contributors

• @​tech-voker made their first contribution in https://github.com/alitto/pond/pull/122

Full Changelog: alitto/pond@v2.4.0...v2.5.0

v2.4.0

Compare Source

What's Changed

• feat(group): expose group context via Context() method by @​alitto in https://github.com/alitto/pond/pull/121

Full Changelog: alitto/pond@v2.3.4...v2.4.0

v2.3.4

Compare Source

What's Changed

• fix(pool): prevent race condition with blocking pools by @​alitto in https://github.com/alitto/pond/pull/115

Full Changelog: alitto/pond@v2.3.3...v2.3.4

v2.3.3

Compare Source

What's Changed

• fix(buffer): avoid holding references to submitted tasks by @​alitto in https://github.com/alitto/pond/pull/113. Thanks @​SimonTheLeg and @​reshnm 🙌

Full Changelog: alitto/pond@v2.3.2...v2.3.3

v2.3.2

Compare Source

What's Changed

• fix(pool): prevent deadlock on submitWaiters channel by @​alitto in https://github.com/alitto/pond/pull/109. Fixes https://github.com/alitto/pond/issues/108. Thanks @​JHarperFox 🙌

Full Changelog: alitto/pond@v2.3.1...v2.3.2

v2.3.1

Compare Source

Pull requests

• fix(pool): avoid race conditions when a task is submitted while the pool is stopping by @​alitto in https://github.com/alitto/pond/pull/105
• feat(pool): add non-blocking submission methods and dropped tasks metric by @​alitto in https://github.com/alitto/pond/pull/107

Changes

• Ensure closed atomic bool is toggled and checked while holding the mutex to avoid race conditions.
• Ensure workersWaitGroup.Add() is always called while holding the mutex to avoid race conditions.
• Improve comments on submit methods to clarify the behavior when the pool is stopped.
• Refactor trySubmit method to make it simpler and more clear.
• Centralize worker launch in a new method called launchWorker.
• Replace subpoolSubmit with subpoolWorker method.
• Add methods to submit individual tasks in a non-blocking fashion (TrySubmit and TrySubmitErr). Requested in https://github.com/alitto/pond/issues/103
• Expose new DroppedTasks metric that reflects the number of tasks that were not executed because the queue was full. Issue reported in https://github.com/alitto/pond/issues/100
• SubmittedTasks metric now includes dropped tasks and it stops being updated once the pool is stopped.

Fixes

• Decrement workerCount counter when the pool context is cancelled.
• Resize() now supports setting maxConcurrency to 0 (no limit)

Full Changelog: alitto/pond@v2.3.0...v2.3.1

v2.3.0

Compare Source

What's Changed

• feat(pool): add support for dynamically adjusting max concurrency by @​alitto in https://github.com/alitto/pond/pull/102

Full Changelog: alitto/pond@v2.2.0...v2.3.0

v2.2.0

Compare Source

What's Changed

• feat(pool): add option to bound task queue (v2) by @​alitto in https://github.com/alitto/pond/pull/99
  • Add support to create bounded pools by specifying a queue size (WithQueueSize option).
  • Add support to choose how to deal with tasks submitted when the queue is full (WithNonBlocking option).
  • Ensure RunningWorkers() method in subpools reflect the actual number of workers running tasks belonging to the subpool.
  • Allow overriding pool options when creating a subpool via NewSupool.
  • Simplify pool submission logic and remove dispatcher goroutine.
  • Simplify subpool implementation.

Full Changelog: alitto/pond@v2.1.6...v2.2.0

v2.1.6

Compare Source

What's Changed

• Fix typos by @​deining in https://github.com/alitto/pond/pull/89
• GitHub actions: fix warning by @​deining in https://github.com/alitto/pond/pull/90
• Automated version check for GitHub workflow actions by @​deining in https://github.com/alitto/pond/pull/93
• fix(panics): wrap panic errors correctly and include stack trace in https://github.com/alitto/pond/pull/96 (thanks @​deregtd 🙌)

New Contributors

• @​deining made their first contribution in https://github.com/alitto/pond/pull/89

Full Changelog: alitto/pond@v2.1.5...v2.1.6

v2.1.5

Compare Source

What's Changed

• Fixed write to closed channel in dispatcher by @​korotin in https://github.com/alitto/pond/pull/87

New Contributors

• @​korotin made their first contribution in https://github.com/alitto/pond/pull/87

Full Changelog: alitto/pond@v2.1.4...v2.1.5

v2.1.4

Compare Source

What's Changed

• fix(dispatcher): ensure workers exit reliably when worker count is low by @​alitto in https://github.com/alitto/pond/pull/86

Full Changelog: alitto/pond@v2.1.3...v2.1.4

v2.1.3

Compare Source

What's Changed

• fix(taskgroup): failed group tasks not counted by @​alitto in https://github.com/alitto/pond/pull/85

Full Changelog: alitto/pond@v2.1.2...v2.1.3

v2.1.2

Compare Source

What's Changed

• fix(pool): fix race condition with small pool sizes by @​alitto in https://github.com/alitto/pond/pull/83

Full Changelog: alitto/pond@v2.1.1...v2.1.2

v2.1.1

Compare Source

What's Changed

• feat(taskgroup): wait for ongoing tasks complete when group is stopped or context is cancelled by @​alitto in https://github.com/alitto/pond/pull/82

Full Changelog: alitto/pond@v2.1.0...v2.1.1

v2.1.0

Compare Source

What's Changed

• feat(taskgroup): improve task group functionality by @​alitto in https://github.com/alitto/pond/pull/81
  • Added a new method to the pool to create a task group associated with a context (pool.NewGroupContext(ctx))
  • Added new methods to task groups:
    • group.Done(): returns a channel that is closed when all tasks in the group finish or the first error is returned.
    • group.Stop(): stops the task group. Queued tasks will be discarded but running tasks will complete their execution.
  • Added a new example showcasing the new pool.NewGroupContext(ctx) method.

Full Changelog: alitto/pond@v2.0.4...v2.1.0

v2.0.4

Compare Source

What's Changed

• fix(group): do not panic when submitting zero tasks by @​alitto in https://github.com/alitto/pond/pull/79

Full Changelog: alitto/pond@v2.0.3...v2.0.4

v2.0.3

Compare Source

What's Changed

• fix(taskgroups): do not start remaining tasks after context cancellation by @​alitto in https://github.com/alitto/pond/pull/77

Full Changelog: alitto/pond@v2.0.2...v2.0.3

v2.0.2

Compare Source

Changes

• Expose Stopped() bool method in pools to indicate whether the pool has been stopped or its associated context has been cancelled.

Fixes

• Ensure ErrPoolStopped error is always returned when attempting to submit a task to a pool that has been stopped or its associated context cancelled.

v2.0.1

Compare Source

Fixes

• Avoid launching workers that exit immediately without running any tasks.
• Prevent task group Wait() from returning eagerly when tasks are executed before submitting the last one of the group.

v2.0.0

Compare Source

What's new in v2?

Version 2 of pond introduces many improvements and new features:

• Unbounded Task Queues: Task queues are now unbounded by default, simplifying pool creation.
• Task Submission with Results: New APIs allow tasks to return results, enhancing flexibility.
• Awaitable Task Completion: Tasks can now be awaited, providing better control over task execution.
• Type Safe APIs: Improved type safety for tasks that return errors or results.
• Panics Recovery: Panics during task execution are captured and returned as errors, allowing graceful error handling.
• Subpools: Create subpools with a fraction of the parent pool's workers for specific tasks.
• Default Pool: A global default pool is available for task submission without explicit pool creation.

Migration from v1 to v2

There have been a significant number of breaking changes in v2, so please make sure to read the migration guide if you are upgrading from v1.

formancehq/go-libs (github.com/formancehq/go-libs/v2)

v4.1.1

Compare Source

v4.1.0

Compare Source

What's Changed

• chore(deps): update module go.opentelemetry.io/otel/sdk to v1.40.0 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/551
• chore(deps): update module filippo.io/edwards25519 to v1.1.1 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/550
• feat(EN-780): extract OTel trace context from message metadata in que… by @​fguery in https://github.com/formancehq/go-libs/pull/558
• chore(deps): update module github.com/docker/cli to v29 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/560
• feat: listener should inject the context into the context so that it … by @​fguery in https://github.com/formancehq/go-libs/pull/561
• chore(deps): update module github.com/nats-io/nats-server/v2 to v2.11.12 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/553
• feat(licence): offline JWT validation with embedded Formance public key by @​flemzord in https://github.com/formancehq/go-libs/pull/562

Full Changelog: formancehq/go-libs@v4.0.0...v4.1.0

v4.0.0

Compare Source

v3.6.1

Compare Source

v3.6.0

Compare Source

v3.5.0

Compare Source

v3.4.0

Compare Source

What's Changed

• fix: really use the publisher-nats-client-id flag for nats connections by @​sylr in https://github.com/formancehq/go-libs/pull/523
• chore(deps): update module github.com/opencontainers/runc to v1.2.8 [security] by @​NumaryBot in https://github.com/formancehq/go-libs/pull/525
• feat: add capacity to specify a static keyset on auth middleware by @​gfyrag in https://github.com/formancehq/go-libs/pull/524

New Contributors

• @​sylr made their first contribution in https://github.com/formancehq/go-libs/pull/523

Full Changelog: formancehq/go-libs@v3.3.0...v3.4.0

v3.3.0

Compare Source

v3.2.1

Compare Source

v3.2.0

Compare Source

v3.1.0

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

v2.2.4

Compare Source

lestrrat-go/jwx (github.com/lestrrat-go/jwx)

v3.0.13

Compare Source

What's Changed

• Pass value of WithContext to jws.Verify by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1483
• Bump golangci/golangci-lint-action from 8.0.0 to 9.0.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14900
• Bump actions/checkout from 5.0.0 to 5.0.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14944
• Bump actions/setup-go from 6.0.0 to 6.1.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15000
• Bump golang.org/x/crypto from 0.43.0 to 0.45.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14999
• Bump golang.org/x/crypto from 0.39.0 to 0.45.0 in /cmd/jwx by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14955
• Bump actions/checkout from 5.0.1 to 6.0.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15044
• Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools/cmd/genoptions by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15022
• Bump golangci/golangci-lint-action from 9.0.0 to 9.1.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15066
• Fix document for (jwk.Set).LookupKeyID by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1508
• Bump golang.org/x/crypto from 0.43.0 to 0.45.0 in /tools/cmd/genjwt by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15099
• Bump actions/stale from 10.1.0 to 10.1.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15144
• Bump golangci/golangci-lint-action from 9.1.0 to 9.2.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15155
• Bump actions/checkout from 6.0.0 to 6.0.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15166
• Update httprc by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1518
• Bump actions/cache from 4.3.0 to 5.0.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15255
• Appease linter (v2.7.2) by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1526
• Bump golang.org/x/crypto from 0.45.0 to 0.46.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15200
• Add permissions by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1528
• Bump github.com/valyala/fastjson from 1.6.4 to 1.6.7 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15244
• Fix Clone() by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1530

Full Changelog: lestrrat-go/jwx@v3.0.12...v3.0.13

v3.0.12

Compare Source

What's Changed

• Change go.mod version requirements to go 1.24.0 and introduce toolchain directive by @​henrymcconville in https://github.com/lestrrat-go/jwx/pull/1465
• Use go.mod for go version in Bazel module by @​henrymcconville in https://github.com/lestrrat-go/jwx/pull/1466
• Enable legacy signers by default, and explicitly populate new signer instances by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1460
• autodoc updates by @​github-actions[bot] inhttps://github.com/lestrrat-go/jwx/pull/14755
• Fix godoclint issues by @​babakks in https://github.com/lestrrat-go/jwx/pull/1469
• Bump actions/cache from 4.2.4 to 4.3.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14633
• Bump actions/stale from 10.0.0 to 10.1.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14688
• Bump github.com/segmentio/asm from 1.2.0 to 1.2.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14622
• Bump github/codeql-action from 3 to 4 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14722
• Bump golang.org/x/crypto from 0.42.0 to 0.43.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14744
• revive godoclint by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1478
• [jwe] Add option to explicitly clear per-recipient headers ("header") for flattened JSON serialization by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1477
• autodoc updates by @​github-actions[bot] inhttps://github.com/lestrrat-go/jwx/pull/14800

New Contributors

• @​henrymcconville made their first contribution in https://github.com/lestrrat-go/jwx/pull/1465
• @​babakks made their first contribution in https://github.com/lestrrat-go/jwx/pull/1469

Full Changelog: lestrrat-go/jwx@v3.0.11...v3.0.12

v3.0.11

Compare Source

What's Changed

• Bump actions/cache from 4.2.3 to 4.2.4 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14388
• Bump golang.org/x/crypto from 0.40.0 to 0.41.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14366
• [jwe] Work with non X25519 ECDH encryption by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1442
• Bump actions/checkout from 4.2.2 to 5.0.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14400
• Separate out signature generation / verification into its own framework by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1439
• Bump github.com/lestrrat-go/httprc/v3 from 3.0.0 to 3.0.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14433
• Bump actions/stale from 9.1.0 to 10.0.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14511
• Bump github.com/stretchr/testify from 1.10.0 to 1.11.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14477
• Bump golang.org/x/crypto from 0.41.0 to 0.42.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14566
• Bump actions/setup-go from 5.5.0 to 6.0.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14499
• Warh40k fix/connection leak by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1458
• Allow shutting down jwk cache by @​adam-bates in https://github.com/lestrrat-go/jwx/pull/1457

New Contributors

• @​adam-bates made their first contribution in https://github.com/lestrrat-go/jwx/pull/1457

Full Changelog: lestrrat-go/jwx@v3.0.10...v3.0.11

v3.0.10

Compare Source

What's Changed

• Fix header not found error by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1435

Full Changelog: lestrrat-go/jwx@v3.0.9...v3.0.10

v3.0.9

Compare Source

What's Changed

• [jwk] Implement X509 related code in jwkbb by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1423
• Tweak error message by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1424
• [jwt] implement distinguishable jwt.Get errors by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1426
• Update bazel to v8 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1429
• Bump golang.org/x/crypto from 0.39.0 to 0.40.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/14288
• Allow HeaderGetXXX() functions to differentiate not found / invalid headers by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1432

Full Changelog: lestrrat-go/jwx@v3.0.8...v3.0.9

v3.0.8

Compare Source

What's Changed

• change from interface{} to any by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1417
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1418
• Introduce jwe lower level API (jwebb), and refactor a bunch of things. by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1419
• [jws/jwsbb] Add io.Reader for source of randomness by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1420
• Add package level doc for jwe by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1421
• Add jwsbb.HeaderParse by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1422

Full Changelog: lestrrat-go/jwx@v3.0.7...v3.0.8

v3.0.7

Compare Source

What's Changed

• Update examples by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1412
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1413
• Add error when signature could not be verified by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1414
• Add Header type for quick and dirty access to JWS headers by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1415
• Refactor jwsbb code by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1416

Full Changelog: lestrrat-go/jwx@v3.0.6...v3.0.7

v3.0.6

Compare Source

What's Changed

• Use shared constants for better legibility/greppability by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1398
• Rework pool objects by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1399
• Bump github.com/cloudflare/circl from 1.6.0 to 1.6.1 in /examples by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1395
• Add AppendEncode to the interface by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1400
• Upgrade option and blackmagic by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1401
• Add comparison benchmark by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1407
• Implement low-level API for jws, and incorporate it to JWT to achieve massive performance gains by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1408
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1409
• Rename comparison by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1410

Full Changelog: lestrrat-go/jwx@v3.0.5...v3.0.6

v3.0.5

Compare Source

What's Changed

• Revert "Improve performance (#​1391)" by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1397
• v3.0.4 has also been retracted on go.mod

Full Changelog: lestrrat-go/jwx@v3.0.4...v3.0.5

v3.0.4

Compare Source

v3.0.3

Compare Source

What's Changed

• Add more context to the errors by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1387
• Update httprc version by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1388

Full Changelog: lestrrat-go/jwx@v3.0.2...v3.0.3

v3.0.2

Compare Source

What's Changed

• Bump golangci/golangci-lint-action from 7.0.0 to 8.0.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1369
• Bump golang.org/x/crypto from 0.37.0 to 0.38.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1372
• Bump actions/setup-go from 5.4.0 to 5.5.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1373
• Add .deprecated field to algorithms in anticipation of future deprecations by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1374
• Add .deprecated field to algorithms in anticipation of future deprecations by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1376
• Add doc tweaks to #​1380 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1383
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1384
• Use jwk interfaces for each key type rather than concrete types by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1381
• Implement Filter objects for container types by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1377
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1386
• Implement generic AsMap by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1385

Full Changelog: lestrrat-go/jwx@v3.0.1...v3.0.2

v3.0.1

Compare Source

What's Changed

Please read the Changes file and upgrade accordingly, especially if you are using the following combinations for JWE:

• DIRECT mode content encryption
• Using A256CBC_HS512
• With an erroneously created CEK of exactly 32-bytes.

---

• Bump actions/cache from 4.2.1 to 4.2.3 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1336
• Bump actions/checkout from 4.1.7 to 4.2.2 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1337
• Bump actions/setup-go from 5.0.2 to 5.4.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1338
• Update 02-jws.md by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1341
• Bump golang.org/x/crypto from 0.36.0 to 0.37.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1342
• Add the claim name to error messages produced by ClaimValueIs() by @​jmalloc in https://github.com/lestrrat-go/jwx/pull/1347
• Tweak comments generated by genwa under jwa directory by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1348
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1349
• Disable funcorder by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1351
• Update .golangci.yml by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1353
• Update github.com/lestrrat-go/blackmagic by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1352
• disable dependabot for develop/v1 branch by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1358
• jws: improve performance for SplitCompact/SplitCompactString by @​drakkan in https://github.com/lestrrat-go/jwx/pull/1360
• jwe: use strings.Cut in parseCompact by @​drakkan in https://github.com/lestrrat-go/jwx/pull/1362
• Update httprc to v3.0.0-beta2 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1364
• Create SECURITY.md by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1365
• [v3] Explcitly check key sizes before passing to aes.NewCipher by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1367

New Contributors

• @​jmalloc made their first contribution in https://github.com/lestrrat-go/jwx/pull/1347

Full Changelog: lestrrat-go/jwx@v3.0.0...v3.0.1

v3.0.0

Compare Source

What's Changed

• Add support for RSA-OAEP-384 and RSA-OAEP-512 by @​Hannes-Kunnen in https://github.com/lestrrat-go/jwx/pull/1142
• fix: typos by @​maro114510 in https://github.com/lestrrat-go/jwx/pull/1145
• Update httprc to v1.0.6 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1150
• Improve API for checking algorithm characteristics around symmetry by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1151
• Fix typos/mistakes/wording/links in documentation/comments by @​Hannes-Kunnen in https://github.com/lestrrat-go/jwx/pull/1152
• Apply changes from #​1156 to v2 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1158
• Avoid problems on 32-bit systems by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1159
• Update minimum required go version to 1.20 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1161
• Run CI with minimum go version 1.20 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1162
• Bump golang.org/x/crypto from 0.24.0 to 0.25.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1149
• Deprecate jws.WithHeaders by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1163
• Bump golang.org/x/crypto from 0.25.0 to 0.26.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1168
• Fix document of how to parse PEM via CLI by @​kg0r0 in https://github.com/lestrrat-go/jwx/pull/1174
• Wrap the errors from functions called within ParseRequest by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1176
• V3 modernize infra by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1180
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1181
• V3 dependabot by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1184
• Completely rework jwk.Cache using github.com/lestrrat-go/httprc/v3 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1189
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1190
• Use import by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1191
• include an extra attribute in the trace log for debugging by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1192
• remove old references and unused files by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1193
• Bump golang.org/x/crypto from 0.26.0 to 0.27.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1185
• cleanup docs, options around cache by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1194
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1195
• fix docs by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1196
• Bump golangci/golangci-lint-action from 6.1.0 to 6.1.1 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1197
• Allow flexible key usage values by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1198
• Remove assert by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1200
• Convert jwa constants to function calls returning objects by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1203
• Mention RegisterKeyUsage by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1201
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1206
• Change accessors in jwk to return (T, bool) by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1207
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1211
• Bump golang.org/x/crypto from 0.27.0 to 0.28.0 by @​dependabot in https://github.com/lestrrat-go/jwx/pull/1210
• Change JWT accessors from returning T to returning (T, bool) by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1212
• autodoc updates by @​github-actions in https://github.com/lestrrat-go/jwx/pull/1213
• update comments to include iat (#​1216) by [@​lestrrat](https://redirect.github.com/les

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (2)

• go.mod is excluded by !**/*.mod
• go.sum is excluded by !**/*.sum, !**/*.sum

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f0d2622e-5f10-4b09-9268-39ef5493db59

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/major-security

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 0.00%. Comparing base (b2203c1) to head (36ab816).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@     Coverage Diff     @@
##   main   #186   +/-   ##
===========================
===========================

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.