Skip to content

Commit e0a3e37

Browse files
Release v10.0.0 (#1631)
2 parents aff188b + 18ddc88 commit e0a3e37

27 files changed

Lines changed: 86 additions & 165 deletions

.version

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
v9.32.0
1+
v10.0.0

CHANGELOG.md

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,5 +1,19 @@
11
# Change Log
22

3+
## [v10.0.0](https://github.com/auth0/auth0.js/tree/v10.0.0) (2026-05-06)
4+
[Full Changelog](https://github.com/auth0/auth0.js/compare/v9.32.0...v10.0.0)
5+
6+
**Fixed**
7+
8+
- Security fix: Resolve CVE-2026-42280
9+
10+
**Breaking change**
11+
12+
| Affected | Details |
13+
|---|---|
14+
| Apps using RS256 | No breaking change |
15+
| Apps using HS256 | `parseHash()` now returns an `invalid_token` error instead of silently succeeding. Must switch to RS256 in the Auth0 Dashboard: Applications → your app → Settings → Advanced Settings → OAuth → JsonWebToken Signature Algorithm → `RS256` |
16+
317
## [v9.32.0](https://github.com/auth0/auth0.js/tree/v9.32.0) (2026-03-25)
418
[Full Changelog](https://github.com/auth0/auth0.js/compare/v9.31.0...v9.32.0)
519

README.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@ From CDN:
2424

2525
```html
2626
<!-- Latest patch release -->
27-
<script src="https://cdn.auth0.com/js/auth0/9.32.0/auth0.min.js"></script>
27+
<script src="https://cdn.auth0.com/js/auth0/10.0.0/auth0.min.js"></script>
2828
```
2929

3030
From [npm](https://npmjs.org):

dist/auth0.js

Lines changed: 6 additions & 42 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/**
2-
* auth0-js v9.32.0
2+
* auth0-js v10.0.0
33
* Author: Auth0
4-
* Date: 2026-03-25
4+
* Date: 2026-05-06
55
* License: MIT
66
*/
77

@@ -6047,7 +6047,7 @@
60476047
if (hasRequiredVersion) return version$1;
60486048
hasRequiredVersion = 1;
60496049
version$1 = {
6050-
raw: '9.32.0'
6050+
raw: '10.0.0'
60516051
};
60526052
return version$1;
60536053
}
@@ -8772,9 +8772,7 @@
87728772
*
87738773
* Only validates id_tokens signed by Auth0 using the RS256 algorithm using the public key exposed
87748774
* by the `/.well-known/jwks.json` endpoint of your account.
8775-
* Tokens signed with the HS256 algorithm cannot be properly validated.
8776-
* Instead, a call to {@link userInfo} will be made with the parsed `access_token`.
8777-
* If the {@link userInfo} call fails, the {@link userInfo} error will be passed to the callback.
8775+
* Tokens signed with the HS256 algorithm cannot be properly validated and will result in an error.
87788776
* Tokens signed with other algorithms will not be accepted.
87798777
*
87808778
* @example
@@ -8839,9 +8837,7 @@
88398837
*
88408838
* Only validates id_tokens signed by Auth0 using the RS256 algorithm using the public key exposed
88418839
* by the `/.well-known/jwks.json` endpoint of your account.
8842-
* Tokens signed with the HS256 algorithm cannot be properly validated.
8843-
* Instead, a call to {@link userInfo} will be made with the parsed `access_token`.
8844-
* If the {@link userInfo} call fails, the {@link userInfo} error will be passed to the callback.
8840+
* Tokens signed with the HS256 algorithm cannot be properly validated and will result in an error.
88458841
* Tokens signed with other algorithms will not be accepted.
88468842
*
88478843
* @method validateAuthenticationResponse
@@ -8924,39 +8920,7 @@
89248920
return callback(null, payload);
89258921
});
89268922
}
8927-
if (validationError.error !== 'invalid_token' || validationError.errorDescription && validationError.errorDescription.indexOf('Nonce (nonce) claim value mismatch in the ID token') > -1) {
8928-
return callback(validationError);
8929-
}
8930-
8931-
// if it's an invalid_token error, decode the token
8932-
var decodedToken = new I().decode(parsedHash.id_token);
8933-
8934-
// if the alg is not HS256, return the raw error
8935-
if (decodedToken.header.alg !== 'HS256') {
8936-
return callback(validationError);
8937-
}
8938-
if ((decodedToken.payload.nonce || null) !== transactionNonce) {
8939-
return callback({
8940-
error: 'invalid_token',
8941-
errorDescription: 'Nonce (nonce) claim value mismatch in the ID token; expected "' + transactionNonce + '", found "' + decodedToken.payload.nonce + '"'
8942-
});
8943-
}
8944-
if (!parsedHash.access_token) {
8945-
var noAccessTokenError = {
8946-
error: 'invalid_token',
8947-
description: 'The id_token cannot be validated because it was signed with the HS256 algorithm and public clients (like a browser) can’t store secrets. Please read the associated doc for possible ways to fix this. Read more: https://auth0.com/docs/errors/libraries/auth0-js/invalid-token#parsing-an-hs256-signed-id-token-without-an-access-token'
8948-
};
8949-
return callback(noAccessTokenError);
8950-
}
8951-
8952-
// if the alg is HS256, use the /userinfo endpoint to build the payload
8953-
return _this.client.userInfo(parsedHash.access_token, function (errUserInfo, profile) {
8954-
// if the /userinfo request fails, use the validationError instead
8955-
if (errUserInfo) {
8956-
return callback(errUserInfo);
8957-
}
8958-
return callback(null, profile);
8959-
});
8923+
return callback(validationError);
89608924
});
89618925
};
89628926
function buildParseHashResponse(qsParams, appState, token) {

dist/auth0.min.esm.js

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/auth0.min.esm.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/auth0.min.js

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/auth0.min.js.map

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

dist/cordova-auth0-plugin.js

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
/**
2-
* auth0-js v9.32.0
2+
* auth0-js v10.0.0
33
* Author: Auth0
4-
* Date: 2026-03-25
4+
* Date: 2026-05-06
55
* License: MIT
66
*/
77

@@ -52,7 +52,7 @@
5252
if (hasRequiredVersion) return version$1;
5353
hasRequiredVersion = 1;
5454
version$1 = {
55-
raw: '9.32.0'
55+
raw: '10.0.0'
5656
};
5757
return version$1;
5858
}

dist/cordova-auth0-plugin.min.js

Lines changed: 3 additions & 3 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)