Sourced from github.com/go-jose/go-jose/v3's releases.

v3.0.4

What's Changed

Backport fix for GHSA-c6gw-w398-hv78 CVE-2025-27144 go-jose/go-jose#174

Full Changelog: https://github.com/go-jose/go-jose/compare/v3.0.3...v3.0.4

Version 3.0.3

Fixed

• Limit decompression output size to prevent a DoS. Backport from v4.0.1.

Version 3.0.2

Fixed

• DecryptMulti: handle decompression error (#19)

Changed

• jwe/CompactSerialize: improve performance (#67)
• Increase the default number of PBKDF2 iterations to 600k (#48)
• Return the proper algorithm for ECDSA keys (#45)
• Update golang.org/x/crypto to v0.19 (#94)

Added

• Add Thumbprint support for opaque signers (#38)

Version 3.0.1

Fixed

Security issue: an attacker specifying a large "p2c" value can cause JSONWebEncryption.Decrypt and JSONWebEncryption.DecryptMulti to consume large amounts of CPU, causing a DoS. Thanks to Matt Schwager (@​mschwager) for the disclosure and to Tom Tervoort for originally publishing the category of attack. https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf

The release is tagged off the release-v3.0.1 branch to avoid mixing in some as-yet unreleased changes on the v3 branch.

• 5253038 Backport fix 167 to v3 (#174)
• 047dc99 CI: Update github actions and go version (#173)
• 0f017e9 Revert #26 (ignore unsupported JWKs in Sets) (#131)
• 3e2bbef Unmarshal jwk keys with unsupported key type or algorithm into empty … (#26)
• add6a28 v3: backport decompression limit fix (#107)
• 11bb4e7 doc: in v3 branch's README, point to v4 as latest (#101)
• 863f73b v3.0.2: Update changelog (#95)
• bdbc794 Update golang.org/x/crypto to v0.19 (backport) (#94)
• 25bce79 Updated go-jose v3.0.0 to v3.0.1 in jose-util (#70)
• aa386df jwe/CompactSerialize: improve performance. (#67)
• Additional commits viewable in compare view

Sourced from github.com/golang-jwt/jwt/v5's releases.

v5.2.2

What's Changed

• Fixed https://github.com/golang-jwt/jwt/security/advisories/GHSA-mh63-6h87-95cp by @​mfridman
• Fixed some typos by @​Ashikpaul in golang-jwt/jwt#382
• build: add go1.22 to ci workflows by @​mfridman in golang-jwt/jwt#383
• Bump golangci/golangci-lint-action from 4 to 5 by @​dependabot in golang-jwt/jwt#387
• Bump golangci/golangci-lint-action from 5 to 6 by @​dependabot in golang-jwt/jwt#389
• chore: bump ci tests to include go1.23 by @​mfridman in golang-jwt/jwt#405
• Fix jwt -show by @​AlexanderYastrebov in golang-jwt/jwt#406
• docs: typo by @​kvii in golang-jwt/jwt#407
• Update SECURITY.md by @​oxisto in golang-jwt/jwt#416
• Update jwt.Parse example to use jwt.WithValidMethods by @​mattt in golang-jwt/jwt#425

New Contributors

• @​Ashikpaul made their first contribution in golang-jwt/jwt#382
• @​kvii made their first contribution in golang-jwt/jwt#407
• @​mattt made their first contribution in golang-jwt/jwt#425

Full Changelog: https://github.com/golang-jwt/jwt/compare/v5.2.1...v5.2.2

v5.2.1

What's Changed

• chore: remove unnecessary conversions from tests by @​estensen in golang-jwt/jwt#370
• Trivial: Typo fix for ECDSA error message by @​tjs-cinemo in golang-jwt/jwt#373
• Fix incorrect error return by @​ss49919201 in golang-jwt/jwt#371

New Contributors

• @​tjs-cinemo made their first contribution in golang-jwt/jwt#373
• @​ss49919201 made their first contribution in golang-jwt/jwt#371

Full Changelog: https://github.com/golang-jwt/jwt/compare/v5.2.0...v5.2.1

v5.2.0

What's Changed

• Exported NewValidator by @​oxisto in golang-jwt/jwt#349
• Improve ErrInvalidKeyType error messages by @​Laurin-Notemann in golang-jwt/jwt#361
• Update MIGRATION_GUIDE.md by @​jbarham in golang-jwt/jwt#363

New Contributors

• @​Laurin-Notemann made their first contribution in golang-jwt/jwt#361
• @​jbarham made their first contribution in golang-jwt/jwt#363

Full Changelog: https://github.com/golang-jwt/jwt/compare/v5.1.0...v5.2.0

v5.1.0

What's Changed

• Using jwt's native ErrInvalidType instead of json.UnsupportedTypeError by @​oxisto in golang-jwt/jwt#316
• Fix typos in comments and test names by @​alexandear in golang-jwt/jwt#317
• Format: add whitespaces, remove empty lines by @​alexandear in golang-jwt/jwt#319
• Refactor example: use io.ReadAll instead of io.Copy by @​alexandear in golang-jwt/jwt#320

... (truncated)

• 0951d18 Merge commit from fork
• c035977 Update Parse example to use WithValidMethods (#425)
• bc8bdca Update SECURITY.md (#416)
• 5ec246c docs: typo (#407)
• 0123f1a Fix jwt -show (#406)
• f961c72 chore: bump ci tests to include go1.23 (#405)
• 62e504c Bump golangci/golangci-lint-action from 5 to 6 (#389)
• 1a56dcf Bump golangci/golangci-lint-action from 4 to 5 (#387)
• c8043ea build: add go1.22 to ci workflows (#383)
• 7c3f6dc Update README.md (#382)
• Additional commits viewable in compare view

• 405cb3b go.mod: update golang.org/x dependencies
• 913d3ae x509roots/fallback: update bundle
• dbb6ec1 ssh/test: skip tests on darwin that fail on the darwin-amd64-longtest LUCI bu...
• 403f699 ssh/test: avoid leaking a net.UnixConn in server.TryDialWithAddr
• 055043d go.mod: update golang.org/x dependencies
• 08396bb internal/poly1305: drop Go 1.12 compatibility
• 9d2ee97 ssh: implement strict KEX protocol changes
• 4e5a261 ssh: close net.Conn on all NewServerConn errors
• 152cdb1 x509roots/fallback: update bundle
• fdfe1f8 ssh: defer channel window adjustment
• Additional commits viewable in compare view

Sourced from github.com/gofiber/fiber/v2's releases.

v2.52.12

🐛 Fixes

• CVE fix GHSA-mrq8-rjmw-wpq3

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.11...v2.52.12

v2.52.11

What's Changed

🧹 Updates

• Improve mount functionality by @​gaby in gofiber/fiber#3900

🐛 Bug Fixes

• Backport defensive copying fixes from #3828 and #3829 to v2 by @​sixcolors in gofiber/fiber#3888
• Fixes and improvements for limiter middleware by @​gaby in gofiber/fiber#3899

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.10...v2.52.11

v2.52.10

🐛 Bug Fixes

• Handle invalid path in filesystem by @​rokostik in gofiber/fiber#3688
• Fix recover middleware panic output formatting by @​ReneWerner87 in gofiber/fiber#3818
• Fix enforcement of Immutable config for some edge cases by @​gaby in gofiber/fiber#3835

📚 Documentation

• Document RoutePatternMatch by @​ReneWerner87 in gofiber/fiber#3723

New Contributors

• @​rokostik made their first contribution in gofiber/fiber#3688

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.9...v2.52.10

v2.52.9

🐛 Bug Fixes

• Add upper index limit for parsers by @​gaby in gofiber/fiber#3503
• Embedded struct parsing by @​ReneWerner87 in gofiber/fiber#3478
• Fix Content-Type comparison in Is() by @​gaby in gofiber/fiber#3537
• Fix MIME type equality checks by @​gaby in gofiber/fiber#3603

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.8...v2.52.9

v2.52.8

👮 Security

• Fix for BodyParser - GHSA-hg3g-gphw-5hhm

... (truncated)

• 6cba195 Bump fiber package version to 2.52.12
• 5ebbee7 docs: update image paths to v2 in README files
• 5028167 Merge commit from fork
• 42380aa fix: adapt tests for v2 - use defer/recover pattern and correct Handler signa...
• 7cffe29 refactor: use helper function for param route generation in tests
• 5494de8 🐛 bug: add panic for routes with >30 parameters (GHSA-mrq8-rjmw-wpq3)
• 65b0f3d Bump version to 2.52.11
• 1b53334 Modernize error handling in UUID functions (#3941)
• eb874b6 Merge commit from fork
• 4ff945a 🩹 bug: Fix ErrorHandler invocation for mounted sub-apps (#3907)
• Additional commits viewable in compare view

Sourced from github.com/gofiber/fiber/v2's releases.

v2.52.12

🐛 Fixes

• CVE fix GHSA-mrq8-rjmw-wpq3

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.11...v2.52.12

v2.52.11

What's Changed

🧹 Updates

• Improve mount functionality by @​gaby in gofiber/fiber#3900

🐛 Bug Fixes

• Backport defensive copying fixes from #3828 and #3829 to v2 by @​sixcolors in gofiber/fiber#3888
• Fixes and improvements for limiter middleware by @​gaby in gofiber/fiber#3899

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.10...v2.52.11

v2.52.10

🐛 Bug Fixes

• Handle invalid path in filesystem by @​rokostik in gofiber/fiber#3688
• Fix recover middleware panic output formatting by @​ReneWerner87 in gofiber/fiber#3818
• Fix enforcement of Immutable config for some edge cases by @​gaby in gofiber/fiber#3835

📚 Documentation

• Document RoutePatternMatch by @​ReneWerner87 in gofiber/fiber#3723

New Contributors

• @​rokostik made their first contribution in gofiber/fiber#3688

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.9...v2.52.10

v2.52.9

🐛 Bug Fixes

• Add upper index limit for parsers by @​gaby in gofiber/fiber#3503
• Embedded struct parsing by @​ReneWerner87 in gofiber/fiber#3478
• Fix Content-Type comparison in Is() by @​gaby in gofiber/fiber#3537
• Fix MIME type equality checks by @​gaby in gofiber/fiber#3603

Full Changelog: https://github.com/gofiber/fiber/compare/v2.52.8...v2.52.9

v2.52.8

👮 Security

• Fix for BodyParser - GHSA-hg3g-gphw-5hhm

... (truncated)

• 6cba195 Bump fiber package version to 2.52.12
• 5ebbee7 docs: update image paths to v2 in README files
• 5028167 Merge commit from fork
• 42380aa fix: adapt tests for v2 - use defer/recover pattern and correct Handler signa...
• 7cffe29 refactor: use helper function for param route generation in tests
• 5494de8 🐛 bug: add panic for routes with >30 parameters (GHSA-mrq8-rjmw-wpq3)
• 65b0f3d Bump version to 2.52.11
• 1b53334 Modernize error handling in UUID functions (#3941)
• eb874b6 Merge commit from fork
• 4ff945a 🩹 bug: Fix ErrorHandler invocation for mounted sub-apps (#3907)
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.