rust-spiffe icon indicating copy to clipboard operation
rust-spiffe copied to clipboard
verified publisher icon maxlambrecht

Update jsonwebtoken requirement from 9 to 10 in /spiffe

Open dependabot[bot] opened this issue 3 months ago • 2 comments

Updates the requirements on jsonwebtoken to permit the latest version.

Changelog

Sourced from jsonwebtoken's changelog.

10.0.0 (2025-09-29)

  • BREAKING: now using traits for crypto backends, you have to choose between aws_lc_rs and rust_crypto
  • Add Clone bound to decode
  • Support decoding byte slices
  • Support JWS

9.3.1 (2024-02-06)

  • Update base64

9.3.0 (2024-03-12)

  • Add Validation.reject_tokens_expiring_in_less_than, the opposite of leeway

9.2.0 (2023-12-01)

  • Add an option to not validate aud in the Validation struct
  • Get the current timestamp in wasm without using std
  • Update ring to 0.17

9.1.0 (2023-10-21)

  • Supports deserialization of unsupported algorithms for JWKs

9.0.0 (2023-10-16)

  • Update ring
  • Rejects JWTs containing audiences when the Validation doesn't contain any

8.3.0 (2023-03-15)

  • Update base64
  • Implement Clone for TokenData if T impls Clone

8.2.0 (2022-12-03)

  • Add DecodingKey::from_jwk
  • Can now use PEM certificates if you have the use_pem feature enabled

8.1.1 (2022-06-17)

  • Fix invalid field name on OctetKeyParameters

8.1.0 (2022-04-12)

  • Make optional fields in the spec really optional

... (truncated)

Commits

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
jsonwebtoken [>= 9.a, < 10]

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

dependabot[bot] avatar Sep 30 '25 01:09 dependabot[bot]

This will require some manual work, and also requires https://github.com/Keats/jsonwebtoken/pull/441 on the jsonwebtoken side. I'll put up a PR once the upstream change is made in jsonwebtoken. The main benefit will be supporting rust_crypto or aws_lc_rs instead of requiring ring.

dsykes16 avatar Oct 07 '25 09:10 dsykes16

This will require some manual work, and also requires Keats/jsonwebtoken#441 on the jsonwebtoken side. I'll put up a PR once the upstream change is made in jsonwebtoken. The main benefit will be supporting rust_crypto or aws_lc_rs instead of requiring ring.

Sounds good! Thanks, @dsykes16!

maxlambrecht avatar Oct 07 '25 16:10 maxlambrecht