• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

dunglas / mercure / 29639701340 / 1
85%
master: 93%

Build:
Build:
LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran 18 Jul 2026 09:50AM UTC
Files 37
Run time 1s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

18 Jul 2026 09:45AM UTC coverage: 85.138% (+0.1%) from 85.042%
29639701340.1

Pull #1298

github

dunglas
fix(security): pin the JWT algorithm allowlist in compatibility mode

applyModernDefaults returned before assigning the default asymmetric-only
algorithm allowlist whenever a protocol-version compatibility was set. A hub
built with a bare key function (the JWKS path) and no explicit algorithms then
let the parser accept whatever alg the token header declared, so a token forged
as HS256 against an RSA/EC public key could be presented for algorithm
confusion. Apply the allowlist in every mode; a relaxed protocol version must
not relax the signature-algorithm check. Operators pinning a symmetric
algorithm on a bare key function still opt in via WithPublisher/SubscriberJWTAlgorithms.
Pull Request #1298: fix(security): pin the JWT algorithm allowlist in compatibility mode

2721 of 3196 relevant lines covered (85.14%)

101.42 hits per line

Source Files on job 0 - 29639701340.1
  • Tree
  • List 37
  • Changed 2
  • Source Changed 0
  • Coverage Changed 2
Coverage ∆ File Lines Relevant Covered Missed Hits/Line
  • Back to Build 29639701340
  • 4cf5d85b on github
  • Prev Job for on fix/jwt-alg-allowlist-compat (#29599463785.1)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc