What's Changed

• Add guard against 'null' token and token parts by @SociableSteve in #602

New Contributors

• @SociableSteve made their first contribution in #602

Full Changelog: v6.2.1...v6.2.2

What's Changed

• Fix/regex non deterministic validation by @antoatta85 in #593
• fix: GHSA-cjw9-ghj4-fwxf CVE-2026-35041 ReDoS when using RegExp in allowed options by @antoatta85 in #595

Full Changelog: v6.2.0...v6.2.1

What's Changed

• chore(deps-dev): bump @types/node from 24.10.4 to 25.0.2 by @dependabot[bot] in #575
• fix: complete patch for GHSA-mvf2-f6gm-w987 and #586 by @dcs-soni in #598
• fix acceptance of unknown crit headers and comply with RFC 7515 by @antoatta85 in #591
• fix: cache confusion risk with composite-key approach by @antoatta85 in #587

New Contributors

• @dcs-soni made their first contribution in #598
• @antoatta85 made their first contribution in #591

Full Changelog: v6.1.0...v6.2.0

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v6.0.2 by @optic-release-automation[bot] in #564
• chore(deps-dev): bump @types/node from 22.15.32 to 24.0.3 by @dependabot[bot] in #565
• chore(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @dependabot[bot] in #567
• chore: import crypto once by @ilteoood in #568
• chore: migrate to OIDC publishing for npm releases by @zibs in #569
• feat: expose TOKEN_ERROR_CODES and derive duplicated error code types from it by @wopian in #573

New Contributors

• @zibs made their first contribution in #569
• @wopian made their first contribution in #573

Full Changelog: v6.0.2...v6.1.0

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v6.0.1 by @optic-release-automation in #557
• chore(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @dependabot in #558
• docs: Add error handling section with examples by @simoneb in #561
• Fix: error constructor in declaration file by @atlowChemi in #562

New Contributors

• @atlowChemi made their first contribution in #562

Full Changelog: v6.0.1...v6.0.2

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v6.0.0 by @optic-release-automation in #554
• feature: support negative expiresIn when signing tokens by @agubler in #556

Full Changelog: v6.0.0...v6.0.1

BREAKING CHANGES

This is a semver major release containing breaking changes to address more thoroughly the security vulnerability fixed in v5.0.6, which only fixed the vulnerability without introducing breaking changes.

This release takes it one step further by adhering more closely to the JWT specification.

More specifically, verification now expects all claims except for the aud claim to be single values, instead of supporting arrays of values.

This is a breaking change because JWTs containing claims in array format (with the exception of aud), now cause verification errors, while they were previously allowed.

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v5.0.6 by @optic-release-automation in #551
• feat!: align claim validation to specification by @agubler in #553

New Contributors

• @agubler made their first contribution in #553

Full Changelog: v5.0.6...v6.0.0

SECURITY RELEASE

This release contains a fix for GHSA-gm45-q3v2-6cf8.

Upgrading is strongly recommended.

Thanks to @tibrn for reporting, and @agubler for fixing it.

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v5.0.5 by @optic-release-automation in #540
• chore: fix node 23 by @ilteoood in #541
• chore(deps): bump mnemonist from 0.39.8 to 0.40.0 by @dependabot in #544
• chore: add type for cacheKeyBuilder by @aheckmann in #546
• Mitata benchmark by @andolivieri-nf in #548
• Fix benchmarks with regards to jsonwebtoken performance by @Gobd in #535

New Contributors

• @aheckmann made their first contribution in #546
• @andolivieri-nf made their first contribution in #548
• @Gobd made their first contribution in #535

Full Changelog: v5.0.5...v5.0.6

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v5.0.2 by @optic-release-automation in #525
• chore: upgrade deps by @ilteoood in #526
• Chore/types definition by @ilteoood in #527
• chore: fake timer by @ilteoood in #528
• Feat/generic signer verifier by @ilteoood in #529
• [OPTIC-RELEASE-AUTOMATION] release/v5.0.3 by @optic-release-automation in #530
• update nearform banner link by @msgadi in #533
• chore(deps-dev): bump eslint-config-prettier from 9.1.0 to 10.0.1 by @dependabot in #538
• [OPTIC-RELEASE-AUTOMATION] release/v5.0.4 by @optic-release-automation in #539

Full Changelog: v5.0.2...v5.0.5

What's Changed

• [OPTIC-RELEASE-AUTOMATION] release/v5.0.1 by @optic-release-automation in #523
• chore(types): Add missing input type for DecodedJwt and Updated input field to return decoded 'input' by @msgadi in #524

New Contributors

• @msgadi made their first contribution in #524

Full Changelog: v5.0.1...v5.0.2