rust-spiffe icon indicating copy to clipboard operation
rust-spiffe copied to clipboard
verified publisher icon maxlambrecht

Update to `jsonwebtoken` v10

Open dsykes16 opened this issue 3 months ago • 1 comments

Add aws-lc-rs and rust-crypto features, exactly one of which is required to be enabled by jsonwebtoken v10. rust-crypto is now part of default features.

Use new jsonwebtoken::dangerous::insecure_decode to support jsonwebtoken v10, which introduced breaking changes to the previous workaround to insecurely decode a JWT.

BREAKING CHANGE: rust-crypto and aws-lc-rs are mutually exclusive so --all-features will fail. This is an inherent limitation of jsonwebtoken v10 at this time.

BREAKING CHANGE: dependency on ring is eliminated and replaced by either aws-lc-rs OR rust-crypto.

dsykes16 avatar Oct 07 '25 21:10 dsykes16

This will supersede #173. Once https://github.com/Keats/jsonwebtoken/pull/441 is merged and a new version of jsonwebtoken is released I'll drop the patch and mark this as ready. Will also need to pin jsonwebtoken to >= 10.0.1, < 11 (or >= 10.1.0, < 11 depending on how Keats versions it).

dsykes16 avatar Oct 07 '25 21:10 dsykes16