chore(deps): update module github.com/lestrrat-go/jwx/v3 to v4 (9.3)

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change
github.com/lestrrat-go/jwx/v3	indirect	major	v3.0.13 -> v4.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

lestrrat-go/jwx (github.com/lestrrat-go/jwx/v3)

v4.0.0

Compare Source

Changes

v4 has many incompatibilities with v3. To see the full list of differences between
v3 and v4, please read the Changes-v4.md file. Coding Agents should read MIGRATION-v4.md

v4.0.0 - 19 Apr 2026

• Initial v4 release. Major features:
  • Lighter: Core / Companion module separation. Less dependencies in core.
  • Faster: Use of generics and other optimizations make v4 2x~3x faster than before.
  • Quantum-Ready: ML-KEM and ML-DSA, HPKE (+Hybrid) are supported through companion modules.
• See Changes-v4.md for a full set of Changes since v3.

v3.1.0

Compare Source

See Changes file for curated list of changes

What's Changed

• Appease linter by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1543
• Bump kentaro-m/auto-assign-action from 2.0.0 to 2.0.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15388
• Bump actions/checkout from 6.0.1 to 6.0.2 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15422
• Bump actions/setup-go from 6.1.0 to 6.2.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15366
• Bump actions/cache from 5.0.1 to 5.0.2 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15399
• Add AGENTS.md by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1546
• exclude AGENTS.md by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1548
• Bump actions/cache from 5.0.2 to 5.0.3 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15455
• Bump golang.org/x/crypto from 0.46.0 to 0.47.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15355
• Add symlink by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1549
• Fix jwk.Cache worker issues by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1552
• Exclude CLAUDE.md from autodoc by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1555
• Bump github.com/valyala/fastjson from 1.6.7 to 1.6.9 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15611
• Bump actions/stale from 10.1.1 to 10.2.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15599
• Bump golang.org/x/crypto from 0.47.0 to 0.48.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15577
• Reduce allocations in concatkdf Read by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1562
• Eliminate redundant lock acquisitions in LookupKeyID by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1563
• Replace make+copy with bytes.Clone by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1564
• Use base64.Encode instead of EncodeToString in JWS marshal by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1565
• Cache keyalg/ctalg String() in JWE encrypt/decrypt by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1566
• Inline ndata() in concatkdf New by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1567
• Fix dependabot workflow by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1574
• Bump github.com/valyala/fastjson from 1.6.9 to 1.6.10 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15688
• Bump github.com/decred/dcrd/dcrec/secp256k1/v4 from 4.4.0 to 4.4.1 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15700
• Bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 in /examples by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15711
• Bump actions/setup-go from 6.2.0 to 6.3.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15733
• harden dependabot workflow by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1575
• fix inverted rlocker condition in RSA key export by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1576
• Fix jwe decrypt typo by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1577
• Fix example naming by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1578
• Chore remove unused blank assigns by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1579
• add WhitelistError sentinel, use errors.Is in test by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1581
• standardize error helpers in jws and jwe by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1582
• add fuzz testing infrastructure for jwt/jws/jwe/jwk by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1583
• fix flaky cache and jwt validation tests by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1585
• add .claude/docs and pre-read rules to AGENTS.md by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1584
• Bump golang.org/x/crypto from 0.48.0 to 0.49.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15877
• Bump github.com/emmansun/gmsm from 0.21.5 to 0.41.1 in /examples by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15900
• Bump actions/cache from 5.0.3 to 5.0.4 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15933
• Bump github.com/goccy/go-json from 0.10.3 to 0.10.6 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15899
• Bump kentaro-m/auto-assign-action from 2.0.1 to 2.0.2 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15955
• use standard go deprecation markers in jws by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1596
• fix probe field name in panic message by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1597
• Bump github.com/lestrrat-go/httprc/v3 from 3.0.4 to 3.0.5 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/15999
• Bump actions/setup-go from 6.3.0 to 6.4.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/16000
• enforce crit header validation in jws.Verify per RFC 7515 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1601
• validate crit header in VerifyCompactFast by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1602
• fix X25519 ECDH-ES to include apu/apv in KDF by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1603
• enforce minimum PBES2 iteration count by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1604
• reject null JSON values for string claims (#​1484) by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1605
• add RFC 9864 fully-specified EdDSA signature algorithms by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1606
• add extension APIs and KeyKind dispatch for external algorithm modules by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1607
• add jwkunsafe package docs and tests by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1609
• delegate custom algorithm registration to dsig by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1610
• autodoc updates by @​github-actions[bot] inhttps://github.com/lestrrat-go/jwx/pull/16111
• pin ed448 module to latest jwx by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1612
• move ed448 to external jwx-circl-ed448 repo by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1613
• autodoc updates by @​github-actions[bot] inhttps://github.com/lestrrat-go/jwx/pull/16144
• pin jwx-circl-ed448 to latest commit by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1615
• update Changes for v3.0.14 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1616
• use jwk.Import fallback in AlgorithmsForKey by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1617
• fix OKP key export dispatch for Ed448 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1618
• fix misleading Ed448 dispatch comments in jwsbb by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1619
• add RegisterAlgorithmForCurve, filter AlgorithmsForKey by curve by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1620
• pin jwx-circl-ed448 to ce28e4b in examples by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1621
• add WithMaxFetchBodySize to limit Fetch response body by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1622
• add per-call PBES2 count overrides to jwe.Decrypt by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1623
• fix X509CertChain() to return false when chain is nil by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1624
• fix data race in x509 decoder registry iteration by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1625
• add max key count limit to PEM parsing loop by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1626
• reject negative WithAcceptableSkew in jwt.Validate by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1627
• accept year 0000 in OIDC birthdate per spec by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1628
• update Changes for #​1620-#​1628 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1629
• add max input size limit to jwt/jwe ParseReader by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1630
• add global default for MaxFetchBodySize by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1631
• fix parse size limit race, validation, and jws coverage by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1632
• add max recipients limit for JWE messages by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1633
• add default HTTP timeout for jwk.Fetch by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1634
• document jti replay protection as caller responsibility by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1635
• add max signatures limit for JWS messages by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1636
• add default redirect policy for jwk.Fetch by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1637
• add jwk.DefaultHTTPClient by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1638
• check redirect scheme downgrade at every hop by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1639
• apply default redirect policy to jwk.Cache by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1640
• make null string claim rejection opt-in by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1641
• add jwk.WrapHTTPClientDefaults by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1642
• update Changes for #​1630-#​1640 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1643
• document WithHTTPClient bypass of defaults by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1646
• use atomic wrappers for global settings by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1647
• reuse shared HTTP client in Cache.Register by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1648
• accept ParseOption in jws.ParseString by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1650
• validate maxSignatures is positive by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1649
• document body size limit approach in jwk.Fetch by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1651
• remove minor entries from Changes by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1653
• make WithStrictStringClaims per-call only by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1654
• add per-call opt-out for crit header validation by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1655
• protect global settings with mutex by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1656
• document WithStrictStringClaims scope to JWT only by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1657
• document WithStrictStringClaims scope includes JWK by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1658
• deep-copy slice fields in generated Set methods by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1659
• zero private key fields on UnmarshalJSON error by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1660
• document x509 validation as out of scope by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1661
• update Changes for #​1659 and #​1660 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1662
• fix inconsistent mutex locking in data structures by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1666
• replace intermediate map in MarshalJSON with pair+pool by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1667
• validate algorithm-key compatibility in WithKey by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1668
• reduce allocations in JWE encrypt path by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1676
• Bump golang.org/x/crypto from 0.49.0 to 0.50.0 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/16844
• clean up jws sign/verify code for legibility by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1687
• clean up jws sign/verify key selection code by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1689
• fix dependabot workflow for develop/v2 bazel by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1691
• use squash merge in dependabot workflow by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1692
• remove auto-approve and auto-merge from dependabot workflow by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1693
• scrub full backing array in byte slice pool by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1729
• clear fieldPair list before returning to pool by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1732
• rework jws crit header validation by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1733
• add jwe crit header validation by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1735
• clone per-recipient headers, recycle via headerPool by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1739
• reject ecdh keys in AlgorithmsForKey by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1741
• stop pooling escaping big.Int in buildRSAPublicKey by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1745
• auto-declare b64 crit when WithDetachedPayload is set by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1748
• fail loudly on rand.Reader errors in key gen helpers by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1751
• drop big.Int pool by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1754
• fix race in jwk/ecdsa lookup functions by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1756
• clone protected headers in signatureBuilder.Build by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1759
• fix ValidationCtx extractors panicking on uninitialized contexts by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1761
• docs: note ES256K low-S non-enforcement by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1763
• reject empty ciphertext/iv/tag in jwe.Message.UnmarshalJSON by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1768
• drop unprotected header merge from jwe.Decrypt by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1770
• document VerifyCompactFast b64:true assumption by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1773
• pin unprotected header merge fix with regression test by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1776
• validate AES-CBC IV length in aescbc.Hmac.Open by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1778
• reslice pooled jwe buffers before defer by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1781
• reject sub-minimum input in RFC 3394 keywrap primitives by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1784
• add jwe.WithPBES2Count encrypt option by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1782
• jwe: use privkey.Size() for RSA PKCS1v1.5 length check by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1788
• document default InsecureWhitelist on jwk.Fetch (JWK-001) by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1790
• reject crit-bearing messages in jws.VerifyCompactFast by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1793
• jwe: stop aliasing AAD backing slices when concatenating external aad by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1796
• validate ECDSA point on curve (JWK-003) by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1797
• copy recipientKey in KeyDecryptAESGCMKW to avoid caller aliasing (JWE-002) by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1800
• strip key options in jwt.ParseInsecure by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1802
• Bump actions/cache from 5.0.4 to 5.0.5 by @​dependabot[bot] inhttps://github.com/lestrrat-go/jwx/pull/17955
• enforce jws signatures cap before decoding entries by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1804
• cap SplitCompactReader non-finite reads at 10 MiB by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1806
• copy rawKey in symmetricKey.Import to avoid caller aliasing by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1808
• enforce max parse input size in jws.Parse and jwe.Parse by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1809
• fix cert.Chain.Add to strip real PEM markers by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1814
• fix jwk x509 decoder unregister index and race by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1812
• fix jwt fast path json injection via unescaped kid by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1817
• fix nil-aware ok return in jws header accessors by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1818
• fix: jwk.PublicSetOf rejects symmetric keys by default (v3.1.0) by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1829
• autodoc updates by @​github-actions[bot] inhttps://github.com/lestrrat-go/jwx/pull/18322
• fix jwk rsa exponent truncation and thumbprint collision by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1833
• fix cert.Chain MarshalJSON and validate Add input by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1836
• fix jwt fast path json injection via unescaped alg by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1838
• track aes-cbc-hmac tag length independently of key size by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1841
• fix jwe aescbc open opaque errors by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1843
• fix jwe keyset selecting keys without alg field by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1845
• fix jwe ecdh-es invalid-curve attack surface by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1847
• fix jwk.Set.AddKey panic on nil or struct keys by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1852
• fix jwk parser to validate keys after unmarshal by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1854
• wrap underlying error in jwk set single-key fallback by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1856
• fix cmd/jwx output file mode and truncation by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1858
• fix jwt.ParseHeader bearer scheme per rfc 6750 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1859
• make MissingRequiredClaimError.Is type-only by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1862
• document WithUseNumber concurrency contract as startup-only by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1864
• reject key-bearing options in jwt.ParseInsecure by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1867
• bound jws keyset verification fan-out by header alg by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1869
• add jwk.WithForceAssign to overwrite existing kid by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1874
• tighten HeaderGetStringBytes lifetime doc by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1876
• fix jwxio limited reader detection by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1877
• fix jwa error truncation by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1880
• fix jwa registry snapshots by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1883
• tighten jws validateAlgorithmForKey escape by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1887
• fix jws jku kid-miss silent nil by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1888
• surface jku kid-miss error from jkuProvider by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1891
• fix jws VerifyCompactFast header alg cross-check by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1893
• fix okp key length checks by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1896
• fix jwa builtin protection by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1899
• fix v3 rsa jwk validation by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1895
• fix compact sign errors by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1902
• zero bytes.Buffer backing array on pool return by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1905
• remove internal/json.Dump debug helper by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1907
• fix SplitCompactReader LimitedReader size bypass by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1909
• fix jwe godoc references by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1911
• fix v3 jwt package docs by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1915
• fix v3 jwe cek length checks by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1918
• make x5c cert limits configurable by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1919
• document v3 transform.AsMap aliasing by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1920
• fix v3 ecdsa algorithms snapshot by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1923
• fix jwxio limitedreader bounds by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1924
• warn about jws WithKey misuse in v3 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1930
• fix v3 jws parse autodetect by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1927
• fix empty compact jws signature by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1933
• fix v3 jwe p2c validation by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1935
• fix v3 jwe gcmkw header typing by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1939
• fix v3 jwe aescbc append by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1937
• document jwe compression caveats by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1941
• warn about jwe rsa1_5 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1943
• document jwe WithKey pairs in v3 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1945
• fix PublicSetOf oct bypass in v3 by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1946
• docs: warn about short symmetric keys by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1949
• add jws.WithDetachedPayloadReader for streaming detached payloads by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1663
• jws: return non-nil empty []byte from streaming Verify by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1979
• clarify jwe decrypt unprotected-header scope by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1983
• drop raw input-byte caps from parse apis by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1985
• fix ClaimValueIs panic on non-comparable values by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1987
• clarify EncryptStatic CEK for direct-CEK algs by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1990
• jwk: add WithMaxKeys cap on JWKS entries by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1991
• jws: expand WithDetachedPayloadReader encoder-missing error with install hint by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1993
• jws: document goroutine-safety for WithDetachedPayloadReader by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1997
• jws: explain RFC 8032 EdDSA streaming incompatibility in error message by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/1995
• jws: align streaming HMAC key-type error with non-streaming path by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2000
• jwe: fix grammar in ECDH-ES/DIRECT multi-recipient error by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2002
• jws: drop double-wrap on compact parse errors by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2004
• jwt: guard Validate against nil token by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2007
• jws: make jkuProvider surface missing-alg error by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2009
• jws: surface per-key selectKey errors in keySetProvider by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2011
• jws: surface use=enc mismatch as explicit error by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2013
• jwt: stop using dynamic fmt.Errorf format string in ParseRequest by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2017
• jws: document kid precedence on WithProtectedHeaders by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2024
• jwk: add WithRejectDuplicateKID parse option by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2027
• jwk: replace misleading RegisterKeyImporter godoc by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2029
• jwt: wrap unsupported-time-claim error as ValidateError by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2015
• changes: add jwk.WithRejectDuplicateKID entry by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2033
• fix v3.1.0 changelog inaccuracies and add missing entries by @​lestrrat in https://github.com/lestrrat-go/jwx/pull/2037

Full Changelog: lestrrat-go/jwx@v3.0.13...v3.1.0

---

Configuration

📅 Schedule: Branch creation - "* 1 * * 1-5" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[elastic-renovate-prod]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 2 additional dependencies were updated

Details:

Package	Change
golang.org/x/tools	v0.43.0 -> v0.44.0
golang.org/x/mod	v0.34.0 -> v0.35.0

[elastic-renovate-prod]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: go.sum

Command failed: go get -d -t ./...
go: -d flag is deprecated. -d=true is a no-op
go: github.com/elastic/sarama@v1.24.1-elastic: parsing go.mod:
	module declares its path as: github.com/Shopify/sarama
	        but was required as: github.com/elastic/sarama

[elastic-renovate-prod]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[elastic-renovate-prod]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 4.x releases. But if you manually upgrade to 4.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.