rust-lang · Turbo87 · Oct 30, 2025 · Oct 9, 2025 · Oct 14, 2025 · Oct 30, 2025
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -161,7 +161,7 @@ claims = "=0.8.0"
 diesel = { version = "=2.3.3", features = ["r2d2"] }
 googletest = "=0.14.2"
 insta = { version = "=1.43.2", features = ["glob", "json", "redactions"] }
-jsonwebtoken = "=9.3.1"
+jsonwebtoken = { version = "=10.1.0", features = ["aws_lc_rs"] }
 quoted_printable = "=0.5.1"
 regex = "=1.12.2"
 sentry = { version = "=0.45.0", features = ["test"] }

diff --git a/crates/crates_io_trustpub/Cargo.toml b/crates/crates_io_trustpub/Cargo.toml
@@ -15,7 +15,7 @@ anyhow = "=1.0.100"
 async-trait = "=0.1.89"
 bon = { version = "=3.8.1", optional = true }
 chrono = { version = "=0.4.42", features = ["serde"] }
-jsonwebtoken = "=9.3.1"
+jsonwebtoken = { version = "=10.1.0", features = ["aws_lc_rs"] }
 mockall = { version = "=0.13.1", optional = true }
 rand = "=0.9.2"
 reqwest = { version = "=0.12.24", features = ["gzip", "json"] }

diff --git a/crates/crates_io_trustpub/src/unverified.rs b/crates/crates_io_trustpub/src/unverified.rs
@@ -1,29 +1,6 @@
+use jsonwebtoken::TokenData;
 use jsonwebtoken::errors::Error;
-use jsonwebtoken::{DecodingKey, TokenData, Validation};
 use serde::Deserialize;
-use std::collections::HashSet;
-use std::sync::LazyLock;
-
-/// [`Validation`] configuration for decoding JWTs without any
-/// signature validation.
-///
-/// **This must only be used to extract the `iss` claim from the JWT, which
-/// is then used to look up the corresponding OIDC key set.**
-static NO_VALIDATION: LazyLock<Validation> = LazyLock::new(|| {
-    let mut no_validation = Validation::default();
-    no_validation.validate_aud = false;
-    no_validation.validate_exp = false;
-    no_validation.required_spec_claims = HashSet::new();
-    no_validation.insecure_disable_signature_validation();
-    no_validation
-});
-
-/// Empty [`DecodingKey`] used for decoding JWTs without any signature
-/// validation.
-///
-/// **This must only be used to extract the `iss` claim from the JWT, which
-/// is then used to look up the corresponding OIDC key set.**
-static EMPTY_KEY: LazyLock<DecodingKey> = LazyLock::new(|| DecodingKey::from_secret(b""));
 
 /// Claims that are extracted from the JWT without any signature
 /// validation. Specifically, this only extracts the `iss` claim, which is
@@ -41,7 +18,7 @@ impl UnverifiedClaims {
     /// **This must only be used to extract the `iss` claim from the JWT, which
     /// is then used to look up the corresponding OIDC key set.**
     pub fn decode(token: &str) -> Result<TokenData<Self>, Error> {
-        jsonwebtoken::decode(token, &EMPTY_KEY, &NO_VALIDATION)
+        jsonwebtoken::dangerous::insecure_decode(token)
     }
 }
 

diff --git a/deny.toml b/deny.toml
@@ -108,6 +108,7 @@ allow = [
     "ISC",
     "MIT",
     "MPL-2.0",
+    "OpenSSL",
     "Unicode-3.0",
     "Zlib",
 ]
-Original file line number
+Diff line change
@@ Expand Up / @@ -108,6 +108,7 @@ allow = [ @@
         "ISC",
         "MIT",
         "MPL-2.0",
+        "OpenSSL",
         "Unicode-3.0",
         "Zlib",
     ]
@@ Expand Down @@