8.5.3

Security

• If a key string is provided to the CryptKey constructor with an invalid
  passphrase, the LogicException message generated will expose the given key.
  The key is no longer leaked via this exception (PR #1353)

8.5.2

Changed

• Bumped the versions for laminas/diactoros and psr/http-message to support
  PSR-7 v2.0 (PR #1339)

8.5.1

Fixed

• Fixed PHP version constraints and lcobucci/clock version constraint to support PHP 8.1 (PR #1336)

8.5.0

Added

• Support for PHP 8.1 and 8.2 (PR #1333)

Removed

• Support PHP 7.2, 7.3, and 7.4 (PR #1333)

8.4.1

Fixed

• Fix deprecation notices for PHP 8.x (PR #1329)

8.4.0

Added

• You can now set a leeway for time drift between servers when validating a JWT (PR #1304)

Security

• Access token requests that contain a code_verifier but are not bound to a code_challenge will be rejected to prevent
  a PKCE downgrade attack (PR #1326)

8.3.6

Fixed

• Use LooseValidAt instead of StrictValidAt so that users aren't forced to use claims such as NBF in their JWT tokens (PR #1312)

8.3.5

Fixed

• Use InMemory::plainText('empty', 'empty') instead of InMemory::plainText('') to avoid new empty string exception thrown by lcobucci/jwt (PR #1282)

8.3.4

Fixed

• Server previously rejected valid uris with custom schemes. Now use league/uri for parsing to accept all valid uris (PR #1274)

8.3.3

Security

• Removed the use of LocalFileReference() in lcobucci/jwt. Function deprecated as per GHSA-7322-jrq4-x5hf (PR #1249)