l8w8jwt Security Breach

l8w8jwt is an open source, minimal, OpenSSL-free and ultra-lightweight JWT library written in C by Glitched Polygons GmbH. A security vulnerability exists in version 2.2.1 of l8w8jwt, which stems from the use of memcmp to authenticate, resulting in an authentication bypass vulnerability...

Uses insecure CSPRNG (openssl_random_pseudo_bytes())

It's not fork safe - In most versions of PHP, it lies about being secure - And today I learned that OpenSSL, by default i.e. unchangable from PHP land uses MD5 as a CSPRNG thanks @atoponce I'm stuck between several possible avenues: - Release a new version v1.3.0 or most likely v2.0.0 that...