Skip to content

Update to jsonwebtoken v10 #176

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

Update to jsonwebtoken v10 #176

wants to merge 5 commits into from

Conversation

@dsykes16
Copy link

@dsykes16 dsykes16 commented Oct 7, 2025

Add aws-lc-rs and rust-crypto features, exactly one of which is
required to be enabled by jsonwebtoken v10. rust-crypto is now
part of default features.

Use new jsonwebtoken::dangerous::insecure_decode to support
jsonwebtoken v10, which introduced breaking changes to the previous
workaround to insecurely decode a JWT.

BREAKING CHANGE: rust-crypto and aws-lc-rs are mutually exclusive so
--all-features will fail. This is an inherent limitation of
jsonwebtoken v10 at this time.

BREAKING CHANGE: dependency on ring is eliminated and replaced by
either aws-lc-rs OR rust-crypto.

@dsykes16
feat!: support aws-lc-rs or rust-crypto; remove ring
422500c 
Add `aws-lc-rs` and `rust-crypto` features, exactly one of which is
required to be enabled by `jsonwebtoken` v10. `rust-crypto` is now
part of `default` features.

Use new `jsonwebtoken::dangerous::insecure_decode` to support
jsonwebtoken v10, which introduced breaking changes to the previous
workaround to insecurely decode a JWT.

BREAKING CHANGE: `rust-crypto` and `aws-lc-rs` are mutually exclusive so
`--all-features` will fail. This is an inherent limitation of
`jsonwebtoken` v10 at this time.

BREAKING CHANGE: dependency on `ring` is eliminated and replaced by
either `aws-lc-rs` OR `rust-crypto`.

Signed-off-by: Dwayne Sykes <[email protected]>
@dsykes16
!DROPME: temporary patch to test new jsonwebtoken features
31a4027 
Signed-off-by: Dwayne Sykes <[email protected]>
@dsykes16
ci: run integration tests w/ aws-lc-rs feature
e7d2475 
Add 'Run Integration Tests with aws-lc-rs' step to 'Build and Test'
CI job to ensure functionality with `aws-lc-rs` (alternative to
`rust-crypto`).

Signed-off-by: Dwayne Sykes <[email protected]>
@dsykes16
Copy link
Author

dsykes16 commented Oct 7, 2025

This will supersede #173. Once Keats/jsonwebtoken#441 is merged and a new version of jsonwebtoken is released I'll drop the patch and mark this as ready. Will also need to pin jsonwebtoken to >= 10.0.1, < 11 (or >= 10.1.0, < 11 depending on how Keats versions it).

@maxlambrecht maxlambrecht self-requested a review October 18, 2025 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maxlambrecht maxlambrecht Awaiting requested review from maxlambrecht

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dsykes16 @maxlambrecht