Bump version (#334)

* Bump version

* Keep criterion at 0.4

Author: Keats

CHANGELOG.md

@@ -1,5 +1,10 @@
 # Changelog
 
+## 9.0.0 (2023-10-16)
+
+- Update ring
+- Rejects JWTs containing audiences when the Validation doesn't contain any
+
 ## 8.3.0 (2023-03-15)
 
 - Update base64

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "jsonwebtoken"
-version = "8.3.0"
+version = "9.0.0"
 authors = ["Vincent Prouillet <hello@vincentprouillet.com>"]
 license = "MIT"
 readme = "README.md"
@@ -15,10 +15,10 @@ rust-version = "1.67.0"
 [dependencies]
 serde_json = "1.0"
 serde = {version = "1.0", features = ["derive"] }
-ring = { version = "0.17.3", features = ["std"] }
+ring = { version = "0.17.4", features = ["std"] }
 base64 = "0.21.0"
 # For PEM decoding
-pem = {version = "2", optional = true}
+pem = {version = "3", optional = true}
 simple_asn1 = {version = "0.6", optional = true}
 
 [dev-dependencies]

README.md

@@ -8,9 +8,9 @@ See [JSON Web Tokens](https://en.wikipedia.org/wiki/JSON_Web_Token) for more inf
 Add the following to Cargo.toml:
 
 ```toml
-jsonwebtoken = "8"
+jsonwebtoken = "9"
 # If you do not need pem decoding, you can disable the default feature `use_pem` that way:
-# jsonwebtoken = {version = "8", default-features = false }
+# jsonwebtoken = {version = "9", default-features = false }
 serde = {version = "1.0", features = ["derive"] }
 ```
 
@@ -157,7 +157,8 @@ openssl pkcs8 -topk8 -nocrypt -in sec1.pem -out pkcs8.pem
 
 ## Validation
 This library validates automatically the `exp` claim and `nbf` is validated if present. You can also validate the `sub`, `iss` and `aud` but
-those require setting the expected value in the `Validation` struct.
+those require setting the expected value in the `Validation` struct. In the case of `aud`, if there is a value set in the token but
+not in the `Validation`, the token will be rejected.
 
 Since validating time fields is always a bit tricky due to clock skew,
 you can add some leeway to the `iat`, `exp` and `nbf` validation by setting the `leeway` field.