node-sdk icon indicating copy to clipboard operation
node-sdk copied to clipboard
verified publisher icon descope

[Snyk] Upgrade jose from 5.2.2 to 5.10.0

Open omercnet opened this issue 8 months ago • 0 comments

snyk-top-banner

Snyk has created this PR to upgrade jose from 5.2.2 to 5.10.0.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 20 versions ahead of your current version.

  • The recommended version was released 4 months ago.

Release notes
Package name: jose
  • 5.10.0 - 2025-02-17

    Features

    • support fully specified Ed25519 algorithm identifier (c39f57d)
  • 5.9.6 - 2024-10-20

    Reverts

    • Revert "refactor(build): simplify package exports" (2ef3a52)
  • 5.9.5 - 2024-10-20

    chore(release): 5.9.5

  • 5.9.4 - 2024-10-11

    Refactor

    • types: update error definitions (510c5ca)
  • 5.9.3 - 2024-09-22

    Refactor

    • use as Type for type assertions instead of <Type> (c4dc24d)
  • 5.9.2 - 2024-09-14

    Refactor

    • types: remove index signatures from JWK interfaces (ccf0cda)
  • 5.9.1 - 2024-09-13

    Fixes

    • types: add missing index signature on the convenience JWK types (90a93dc)
  • 5.9.0 - 2024-09-13

    Features

    • allow JWK objects as "key" input to sign and verify (c6302ea)

    This method of passing private or public keys does not yield the same performance as passing a CryptoKey or KeyObject instances, its main purpose is for convenience or for when you're not going to be re-using the same set of keys for the operation, in which case you should use one of the import key methods to obtain a CryptoKey or KeyObject.

    Example Signing

    const alg = "RS256"; const jwk = { kty: "RSA", n: "whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4HHHsrYCf2-FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS_Yv4hRvWfQPcc2Gc3-_fQOOW57zVy-rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj-KgDPjymkMGoJlO3aKppsjfbt_AH6GGdRghYRLOUwQU-h-ofWHR3lbYiKtXPn5dN24kiHy61e3VAQ9_YAZlwXC_99GGtw_NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZASw", e: "AQAB", d: "VuVE_KEP6323WjpbBdAIv7HGahGrgGANvbxZsIhm34lsVOPK0XDegZkhAybMZHjRhp-gwVxX5ChC-J3cUpOBH5FNxElgW6HizD2Jcq6t6LoLYgPSrfEHm71iHg8JsgrqfUnGYFzMJmv88C6WdCtpgG_qJV1K00_Ly1G1QKoBffEs-v4fAMJrCbUdCz1qWto-PU-HLMEo-krfEpGgcmtZeRlDADh8cETMQlgQfQX2VWq_aAP4a1SXmo-j0cvRU4W5Fj0RVwNesIpetX2ZFz4p_JmB5sWFEj_fC7h5z2lq-6Bme2T3BHtXkIxoBW0_pYVnASC8P2puO5FnVxDmWuHDYQ", p: "07rgXd_tLUhVRF_g1OaqRZh5uZ8hiLWUSU0vu9coOaQcatSqjQlIwLW8UdKv_38GrmpIfgcEVQjzq6rFBowUm9zWBO9Eq6enpasYJBOeD8EMeDK-nsST57HjPVOCvoVC5ZX-cozPXna3iRNZ1TVYBY3smn0IaxysIK-zxESf4pM", q: "6qrE9TPhCS5iNR7QrKThunLu6t4H_8CkYRPLbvOIt2MgZyPLiZCsvdkTVSOX76QQEXt7Y0nTNua69q3K3Jhf-YOkPSJsWTxgrfOnjoDvRKzbW3OExIMm7D99fVBODuNWinjYgUwGSqGAsb_3TKhtI-Gr5ls3fn6B6oEjVL0dpmk", dp: "mHqjrFdgelT2OyiFRS3dAAPf3cLxJoAGC4gP0UoQyPocEP-Y17sQ7t-ygIanguubBy65iDFLeGXa_g0cmSt2iAzRAHrDzI8P1-pQl2KdWSEg9ssspjBRh_F_AiJLLSPRWn_b3-jySkhawtfxwO8Kte1QsK1My765Y0zFvJnjPws", dq: "KmjaV4YcsVAUp4z-IXVa5htHWmLuByaFjpXJOjABEUN0467wZdgjn9vPRp-8Ia8AyGgMkJES_uUL_PDDrMJM9gb4c6P4-NeUkVtreLGMjFjA-_IQmIMrUZ7XywHsWXx0c2oLlrJqoKo3W-hZhR0bPFTYgDUT_mRWjk7wV6wl46E", qi: "iYltkV_4PmQDfZfGFpzn2UtYEKyhy-9t3Vy8Mw2VHLAADKGwJvVK5ficQAr2atIF1-agXY2bd6KV-w52zR8rmZfTr0gobzYIyqHczOm13t7uXJv2WygY7QEC2OGjdxa2Fr9RnvS99ozMa5nomZBqTqT7z5QV33czjPRCjvg6FcE", };

    const jwt = await new jose.SignJWT({ "urn:example:claim": true }) .setProtectedHeader({ alg }) .setIssuedAt() .setIssuer("urn:example:issuer") .setAudience("urn:example:audience") .setExpirationTime("2h") .sign(jwk);

    console.log(jwt);

    Example Verification

    const alg = "RS256"; const jwk = { kty: "RSA", n: "whYOFK2Ocbbpb_zVypi9SeKiNUqKQH0zTKN1-6fpCTu6ZalGI82s7XK3tan4dJt90ptUPKD2zvxqTzFNfx4HHHsrYCf2-FMLn1VTJfQazA2BvJqAwcpW1bqRUEty8tS_Yv4hRvWfQPcc2Gc3-_fQOOW57zVy-rNoJc744kb30NjQxdGp03J2S3GLQu7oKtSDDPooQHD38PEMNnITf0pj-KgDPjymkMGoJlO3aKppsjfbt_AH6GGdRghYRLOUwQU-h-ofWHR3lbYiKtXPn5dN24kiHy61e3VAQ9_YAZlwXC_99GGtw_NpghFAuM4P1JDn0DppJldy3PGFC0GfBCZASw", e: "AQAB", };

    const jwt = "eyJhbGciOiJSUzI1NiJ9.eyJ1cm46ZXhhbXBsZTpjbGFpbSI6dHJ1ZSwiaWF0IjoxNjY5MDU2NDg4LCJpc3MiOiJ1cm46ZXhhbXBsZTppc3N1ZXIiLCJhdWQiOiJ1cm46ZXhhbXBsZTphdWRpZW5jZSJ9.gXrPZ3yM_60dMXGE69dusbpzYASNA-XIOwsb5D5xYnSxyj6_D6OR_uR_1vqhUm4AxZxcrH1_-XJAve9HCw8az_QzHcN-nETt-v6stCsYrn6Bv1YOc-mSJRZ8ll57KVqLbCIbjKwerNX5r2_Qg2TwmJzQdRs-AQDhy-s_DlJd8ql6wR4n-kDZpar-pwIvz4fFIN0Fj57SXpAbLrV6Eo4Byzl0xFD8qEYEpBwjrMMfxCZXTlAVhAq6KCoGlDTwWuExps342-0UErEtyIqDnDGcrfNWiUsoo8j-29IpKd-w9-C388u-ChCxoHz--H8WmMSZzx3zTXsZ5lXLZ9IKfanDKg";

    const { payload, protectedHeader } = await jose.jwtVerify(jwt, jwk, { issuer: "urn:example:issuer", audience: "urn:example:audience", });

    console.log(protectedHeader); console.log(payload);

  • 5.8.0 - 2024-08-26

    Features

    • add subpath module exports (72ecff6)

    Refactor

    • omit LocalJWKSet export since it's no longer needed for RemoteJWKSet (c502731)
  • 5.7.0 - 2024-08-19

    Features

    • graduate jwksCache to stable API (0f09c12)
  • 5.6.3 - 2024-07-03
  • 5.6.2 - 2024-06-27
  • 5.6.1 - 2024-06-27
  • 5.6.0 - 2024-06-27
  • 5.5.0 - 2024-06-26
  • 5.4.1 - 2024-06-18
  • 5.4.0 - 2024-06-03
  • 5.3.0 - 2024-05-10
  • 5.2.4 - 2024-04-07
  • 5.2.3 - 2024-03-07
  • 5.2.2 - 2024-02-11
from jose GitHub release notes

[!IMPORTANT]

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

omercnet avatar Jun 15 '25 06:06 omercnet