2.2.1 (2026-02-02)

This was a version bump only for eslint-plugin-jwt to align it with other projects, there were no code changes.

Changelog

All notable changes to eslint-plugin-jwt will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

[1.0.0] - 2025-12-29

Added

Core Security Rules (7)

• no-algorithm-none - Prevent alg:"none" attack (CVE-2022-23540, CWE-347)
• no-algorithm-confusion - Prevent RS256→HS256 key confusion (CWE-347)
• require-algorithm-whitelist - Require explicit algorithm specification (CWE-757)
• no-decode-without-verify - Prevent trusting decoded payloads (CWE-345)
• no-weak-secret - Require 256-bit minimum secrets (CWE-326)
• no-hardcoded-secret - Prevent secrets in source code (CWE-798)
• require-expiration - Require exp claim or expiresIn (CWE-613)

2025 Research Rules (6)

Based on LightSEC 2025 "Back to the Future" attack research:

• require-issued-at - Require iat claim for freshness (CWE-294)
• require-issuer-validation - Require issuer validation (CWE-287)
• require-audience-validation - Require audience validation (CWE-287)
• no-timestamp-manipulation - Prevent noTimestamp: true (CWE-294)
• require-max-age - Require maxAge for replay prevention (CWE-294)
• no-sensitive-payload - Prevent PII in token payload (CWE-359)

Configuration Presets

• recommended - Balanced security (critical=error, high=warn)
• strict - Maximum security with all 13 rules enabled
• legacy - Migration mode with only critical rules

Library Support

• jsonwebtoken
• jose
• express-jwt
• @nestjs/jwt
• jwks-rsa
• jwt-decode

Features

• AI-optimized error messages using formatLLMMessage
• CWE references for all rules (9 CWEs covered)
• OWASP Top 10 2021 coverage matrix (6 categories)
• Full TypeScript support
• Comprehensive test coverage (248 edge case tests)