Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: go-jose/go-jose
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v4.1.2
Choose a base ref
...
head repository: go-jose/go-jose
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v4.1.3
Choose a head ref
  • 6 commits
  • 13 files changed
  • 3 contributors

Commits on Aug 13, 2025

  1. Update CI to run on Go 1.24 and 1.25 (#204) 

    Go 1.25 is released! Move testing to 1.24 and 1.25.

This also makes the branch selection the same for everything - just
'**'. That should help simplify some handling of branches, which I've
been a bit annoyed at before.
    @mcpherrinm
    mcpherrinm authored Aug 13, 2025
    Configuration menu
    Copy the full SHA
    a16e158 View commit details
    Browse the repository at this point in the history

  2. Remove Go 1.23 support (#205) 

    With Go 1.25 released, we can drop compatibility with Go 1.23.

This removes the requirement for golang.org/x/crypto, making go-jose now
free of libraries outside the standard library.
    @mcpherrinm
    mcpherrinm authored Aug 13, 2025
    Configuration menu
    Copy the full SHA
    14239fd View commit details
    Browse the repository at this point in the history

Commits on Aug 18, 2025

  1. Bump actions/checkout from 4 to 5 (#206)

    @dependabot
    dependabot[bot] authored Aug 18, 2025
    Configuration menu
    Copy the full SHA
    9860c65 View commit details
    Browse the repository at this point in the history

Commits on Oct 2, 2025

  1. Bump actions/setup-go from 5 to 6 (#209)

    @dependabot
    dependabot[bot] authored Oct 2, 2025
    Configuration menu
    Copy the full SHA
    2126e17 View commit details
    Browse the repository at this point in the history

  2. Bump actions/setup-python from 5 to 6 (#208)

    @dependabot
    dependabot[bot] authored Oct 2, 2025
    Configuration menu
    Copy the full SHA
    9153a5e View commit details
    Browse the repository at this point in the history

Commits on Oct 3, 2025

  1. Reject JWS with an unprotected critical b64 header (#210) 

    The only critical header that go-jose supports is b64 from RFC7797.

go-jose correctly only respects that header if it appears in a protected
header. go-jose correctly rejects unknown critical headers.

However, go-jose does not reject a JWS which contains a critical b64
unprotected header.

I don't believe this has any security impact, as the only place this is
exposed is via the Signature header members which expose unprotected
headers, and so a library user is already aware they are not to be
trusted. The 'critical' behavior (of not base64-encoding the value,
defined in RFC7797) is not influenced here.

Return a new ErrUnsupportedCriticalHeader error exported as a constant.

Reported by: Muhammad Noman Ilyas @AL-Cybision

---------

Co-authored-by: Jacob Hoffman-Andrews <github@hoffman-andrews.com>
    @mcpherrinm @jsha
    mcpherrinm and jsha authored Oct 3, 2025
    Configuration menu
    Copy the full SHA
    5348b9a View commit details
    Browse the repository at this point in the history
Loading