chore(deps): bump github.com/lestrrat-go/jwx/v3 from 3.1.0 to 3.1.1 by dependabot[bot] · Pull Request #1513 · auth0/auth0-cli

dependabot · 2026-05-07T07:53:12Z

Bumps github.com/lestrrat-go/jwx/v3 from 3.1.0 to 3.1.1.

Release notes

Sourced from github.com/lestrrat-go/jwx/v3's releases.

v3.1.1

For more detailed release notes, see Changes.

What's Changed

build(deps): bump pozil/auto-assign-issue from 2.2.0 to 2.2.1 by @dependabot[bot] in lestrrat-go/jwx#2045

guard ecdsa coordinates against oversized big.Int by @lestrrat in lestrrat-go/jwx#2050

reject jwe with conflicting alg in protected vs per-recipient by @lestrrat in lestrrat-go/jwx#2052

fix AddressClaim.MarshalJSON for non-printable bytes by @lestrrat in lestrrat-go/jwx#2056

jwt: only call ParseForm when WithFormKey is supplied by @lestrrat in lestrrat-go/jwx#2058

jws: jkuProvider rejects fetched keys marked use=enc by @lestrrat in lestrrat-go/jwx#2060

jwa: unify SignatureAlgorithm/KeyEncryption/ContentEncryption into one registry by @lestrrat in lestrrat-go/jwx#2066

build(deps): bump pozil/auto-assign-issue from f245a9119ba5cc2fed4aa7b8268d576d40acddf0 to 7bf9d82c77d45976224660b873fc83e60576c5aa by @dependabot[bot] in lestrrat-go/jwx#2065

cmd/jwx: warn on private-key-to-tty + reject keysize<=0 for oct by @lestrrat in lestrrat-go/jwx#2071

jws: refuse "b64" header in VerifyCompactFast by @lestrrat in lestrrat-go/jwx#2081

jws: VerifyCompactFast refusals match jws.VerifyError() class by @lestrrat in lestrrat-go/jwx#2083

jws: name loose keySet options in fan-out verify error by @lestrrat in lestrrat-go/jwx#2085

jws: honor RFC 7797 b64=false in Message.MarshalJSON by @lestrrat in lestrrat-go/jwx#2087

jws: reject literal-JSON "protected" in general-form JWS by @lestrrat in lestrrat-go/jwx#2089

jwt: ParseRequest: don't skip form body on chunked transfer by @lestrrat in lestrrat-go/jwx#2091

jwt: pedantic mode enforces cty=JWT nested-envelope shape by @lestrrat in lestrrat-go/jwx#2094

jwt: defensively reject missing claims in MaxDeltaIs / MinDeltaIs by @lestrrat in lestrrat-go/jwx#2099

jwt: ParseInsecure: parse loop-local payload, not original input by @lestrrat in lestrrat-go/jwx#2097

jws: Verify rejects b64=false without "b64" listed in "crit" by @lestrrat in lestrrat-go/jwx#2102

jws: Sign auto-declares "b64" in "crit" when emitting b64=false by @lestrrat in lestrrat-go/jwx#2104

jws: declare "b64" as typed bool header field by @lestrrat in lestrrat-go/jwx#2106

jws: reject general-form JWS with top-level "header" sibling of "signatures" by @lestrrat in lestrrat-go/jwx#2108

jws: typed sentinel for AlgorithmsForKey unclassifiable-key failures by @lestrrat in lestrrat-go/jwx#2110

jws: VerifyMessage observes ctx cancellation between loop iterations by @lestrrat in lestrrat-go/jwx#2112

jws: cleanup follow-ups from recent review (low-severity batch) by @lestrrat in lestrrat-go/jwx#2114

jwe: DecryptMessage observes ctx cancellation between loop iterations by @lestrrat in lestrrat-go/jwx#2117

jwe: parse and bound-check PBES2 p2c in int64 space; name the violated bound by @lestrrat in lestrrat-go/jwx#2119

jwe: WithKey validates alg-vs-key shape at option-time by @lestrrat in lestrrat-go/jwx#2121

jwe: compression cap error names "decompressed" payload, the option, and the size by @lestrrat in lestrrat-go/jwx#2123

jwe: bound joined-error count and drop redundant outer Decrypt prefix by @lestrrat in lestrrat-go/jwx#2125

jwe: keySetProvider surfaces per-key errors via errors.Join by @lestrrat in lestrrat-go/jwx#2127

jwe: add WithDisabledKeyAlgorithms global policy hook by @lestrrat in lestrrat-go/jwx#2129

jwe: document WithMaxDecompressBufferSize behavior at non-positive values by @lestrrat in lestrrat-go/jwx#2131

jwk: stop duplicating JWK fields at JWKS top level on parse by @lestrrat in lestrrat-go/jwx#2133

jwk: wrap ParseKey errors with ParseError sentinel by @lestrrat in lestrrat-go/jwx#2135

jwk: stream the keys array with cap-before-allocate by @lestrrat in lestrrat-go/jwx#2137

jwk: treat nil key from custom KeyParser as continue, not success by @lestrrat in lestrrat-go/jwx#2140

jwk: fix phantom ContinueParseError refs and unmarshaler typo in docs by @lestrrat in lestrrat-go/jwx#2142

Changes: draft v3.1.1 release notes by @lestrrat in lestrrat-go/jwx#2155

Full Changelog: lestrrat-go/jwx@v3.1.0...v3.1.1

Changelog

Sourced from github.com/lestrrat-go/jwx/v3's changelog.

v3.1.1 7 May 2026

[jws] Coordinated RFC 7797 b64=false handling pass: jws.Verify rejects payloads with b64=false unless b64 is also listed in crit; jws.Sign auto-declares b64 in crit when emitting b64=false; Message.MarshalJSON honors b64=false instead of silently re-encoding; jws.VerifyCompactFast refuses any compact JWS carrying b64 (the fast path doesn't process extension headers); and b64 is now declared as a typed boolean header field rather than handled ad-hoc. (#2081, #2087, #2102, #2104, #2106)

[jws] Reject malformed general-form JSON-serialized JWS: inputs with a top-level header member as a sibling of signatures are rejected (the spec only permits header inside per-signature objects), as are inputs whose protected member is a literal JSON object instead of a base64url-encoded string. (#2089, #2108)

[jws] jws.AlgorithmsForKey failures from unclassifiable keys are now wrapped in a typed sentinel so callers can branch on "couldn't categorize this key" without string matching the error message. (#2110)

[jws] Verify error-shape consistency: VerifyCompactFast refusals now match the jws.VerifyError() taxonomy used by the slow path, fan-out verify errors name the loose WithKeySet options that were tried, multi-signature b64 mismatches name the offending signature index and conflicting value, and the compact b64=false+payload-contains-. error references RFC 7797 §5.2 and points at WithDetachedPayload. (#2083, #2085, #2114)

[jws] Keys fetched via the jku header are no longer accepted for signature verification when the JWK declares use=enc. (#2060)

[jws][jwe] jws.VerifyMessage and jwe.DecryptMessage observe context cancellation between loop iterations rather than only at boundaries. Long fan-out verify/decrypt loops now respond to a cancelled context promptly. (#2112, #2117)

[jwe] Reject PBES2 messages whose p2c (iteration count) does not parse cleanly into int64 or violates the configured bound. The error now names the violated bound (min vs max) instead of the generic "out of range". (#2119)

[jwe] jwe.WithKey() validates the alg-vs-key shape at option construction time rather than during encryption, so misuse surfaces at the call site instead of inside the encrypt loop. (#2121)

... (truncated)

Commits

59b8b1b release v3.1.1
4d4ab01 Changes: draft v3.1.1 release notes (#2155)
ad739f5 jwk: fix phantom ContinueParseError refs and unmarshaler typo in docs (#2142)
3227cf9 jwk: treat nil key from custom KeyParser as continue, not success (#2140)
82c067e jwk: stream the keys array with cap-before-allocate (#2137)
931a815 jwk: wrap ParseKey errors with ParseError sentinel (#2135)
53f6225 jwk: stop duplicating JWK fields at JWKS top level on parse (#2133)
8943519 jwe: document WithMaxDecompressBufferSize behavior at non-positive values (#2...
4797307 jwe: add WithDisabledKeyAlgorithms global policy hook (#2129)
de41d0e jwe: keySetProvider surfaces per-key errors via errors.Join (#2127)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/lestrrat-go/jwx/v3](https://github.com/lestrrat-go/jwx) from 3.1.0 to 3.1.1. - [Release notes](https://github.com/lestrrat-go/jwx/releases) - [Changelog](https://github.com/lestrrat-go/jwx/blob/v3.1.1/Changes) - [Commits](lestrrat-go/jwx@v3.1.0...v3.1.1) --- updated-dependencies: - dependency-name: github.com/lestrrat-go/jwx/v3 dependency-version: 3.1.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies One or more dependencies are being bumped go Pull requests that update Go code labels May 7, 2026

dependabot Bot requested a review from a team as a code owner May 7, 2026 07:53

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump github.com/lestrrat-go/jwx/v3 from 3.1.0 to 3.1.1#1513

chore(deps): bump github.com/lestrrat-go/jwx/v3 from 3.1.0 to 3.1.1#1513
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/go_modules/github.com/lestrrat-go/jwx/v3-3.1.1

dependabot Bot commented on behalf of github May 7, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 7, 2026

v3.1.1

What's Changed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants