[Snyk] Upgrade aws-jwt-verify from 5.0.0 to 5.1.1

[DanielRivers]

Snyk has created this PR to upgrade aws-jwt-verify from 5.0.0 to 5.1.1.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 2 versions ahead of your current version.

• The recommended version was released 25 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Improper Handling of Unexpected Data Type SNYK-JS-ONHEADERS-10773729	222	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	222	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	222	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ESLINTPLUGINKIT-10847878	222	Proof of Concept

Release notes

Package name: aws-jwt-verify

• 5.1.1 - 2025-10-02

  What's Changed

  • docs: tweak ALB docs by @ ottokruse in #217
  • Bump form-data from 4.0.1 to 4.0.4 in /tests/cognito by @ dependabot[bot] in #218
  • Bump form-data and @ cypress/request in /tests/vite-app by @ dependabot[bot] in #219
  • fix: ui test works again after cypress upgrade by @ ottokruse in #225
  • feat: support GovCloud ALB ARNs in AlbJwtVerifier and add related tests by @ rsb-tbg in #224
  • Bump brace-expansion in /tests/cognito by @ dependabot[bot] in #222
  • chore: version bump for npm release by @ ottokruse in #226

  New Contributors

  • @ rsb-tbg made their first contribution in #224

  Full Changelog: v5.1.0...v5.1.1

• 5.1.0 - 2025-05-05

  What's Changed

  • Actually mention the right supported algorithms in our docs by @ ottokruse in #185
  • Mention Node 16 in docs by @ ottokruse in #186
  • chore: fix algorithm list in docs by @ ottokruse in #187
  • Compile regexp once and optimize CUP regex by @ ottokruse in #188
  • Fixed mention of algorithms in docs by @ ottokruse in #189
  • fix: Fetcher interface data type by @ hakanson in #191
  • Bump vite from 5.3.6 to 5.4.12 in /tests/vite-app by @ dependabot in #192
  • Bump aws-cdk-lib from 2.173.4 to 2.177.0 in /tests/cognito by @ dependabot in #194
  • chore: upgrade ESLint by @ hakanson in #195
  • chore: remove list of supported algs from package description as it got stale by @ ottokruse in #193
  • docs: update to at least Node.js v18 by @ hakanson in #197
  • chore: update ALB to recommended TLS policy by @ hakanson in #198
  • Bump aws-cdk-lib from 2.178.1 to 2.186.0 in /tests/cognito by @ dependabot in #206
  • Bump esbuild and vite in /tests/vite-app by @ dependabot in #205
  • Bump aws-cdk from 2.178.1 to 2.178.2 in /tests/cognito by @ dependabot in #202
  • Bump vite from 6.2.3 to 6.2.5 in /tests/vite-app by @ dependabot in #209
  • Bump vite from 6.2.5 to 6.2.6 in /tests/vite-app by @ dependabot in #210
  • Bump aws-cdk-lib from 2.186.0 to 2.189.0 in /tests/cognito by @ dependabot in #211
  • Bump aws-cdk-lib from 2.189.0 to 2.189.1 in /tests/cognito by @ dependabot in #212
  • Bump vite from 6.2.6 to 6.2.7 in /tests/vite-app by @ dependabot in #214
  • Alb jwt verifier by @ NicolasViaud in #190
  • chore: version bump for npm release by @ ottokruse in #216

  New Contributors

  • @ NicolasViaud made their first contribution in #190

  Full Changelog: v5.0.0...v5.1.0

• 5.0.0 - 2025-01-08

  Notable new features in v5.0.0:

  • Support for ECDSA and EdDSA algorithms:
    • ES256
    • ES384
    • ES512
    • Ed25519
    • Ed448
  • Allow padding characters (even though non-standard) so e.g. AWS ALB JWTs can be verified with this library (however work is still underway to make that easier still, see #176 )
  • The default response timeout of the JWKS fetcher was increased from 1500 ms. to 3000 ms. because multiple users reported the previous 1500 ms. being too low--they were hitting timeouts too often. We believe the 3000 ms. is a better, more reasonable, default value.

  Breaking changes

  This release includes breaking changes, hence moving to major version 5.0.0:

  • Dropped support for Node.js 14, now 16 is the minimum.
  • The fetchJson interface was changed and renamed to fetch. Thus the JsonFetcher was renamed to Fetcher, and corresponding changes were made in the SimpleJwksCache see #167. So, this affects users who were using the SimpleJsonFetcher, potentially to increase the response timeout (maybe that's no longer needed now, as we raised the default value from 1500 ms. to 3000 ms.).
  • It is now allowed to use an explicit null as issuer when creating the verifier, to cater for issuers that create JWTs without iss field (which is non-standard): see #183 . Previously, you couldn't create a verifier for issuer null and JWTs without iss field would always throw JwtInvalidIssuerError. This change likely is breaking to no-one, but technically this is a breaking change. So if your code was explicitly using JwtInvalidIssuerError (e.g. because you imported it), check if it still TS-compiles and works.
  • We renamed the JwtRsaVerifier to JwtVerifier as it handles ECDSA and EdDSA now too but created a top level (immediately deprecated) alias to JwtVerifier so if you do import { JwtRsaVerifier } from "aws-jwt-verifier" that still works. This will break though: import { JwtRsaVerifier } from "aws-jwt-verifier/jwt-rsa" and should become import { JwtVerifier } from "aws-jwt-verifier/jwt-verifier" (if for some reason you were importing like that and not from top-level).

  What's Changed

  • Bump vite from 4.5.2 to 4.5.3 in /tests/vite-app by @ dependabot in #157
  • Bump ws from 7.5.7 to 7.5.10 in /tests/cognito by @ dependabot in #161
  • Bump braces from 3.0.2 to 3.0.3 by @ dependabot in #160
  • Bump braces from 3.0.2 to 3.0.3 in /tests/vite-app by @ dependabot in #162
  • Bump braces from 3.0.2 to 3.0.3 in /tests/cognito by @ dependabot in #163
  • Support for ES256/ES384/ES512 by @ ottokruse in #164
  • Bump webpack from 5.88.2 to 5.94.0 in /tests/vite-app by @ dependabot in #172
  • Refactor fetching to support fetching non-JSON JWKS by @ ottokruse in #167
  • Bump vite from 5.3.2 to 5.3.6 in /tests/vite-app by @ dependabot in #174
  • Bump rollup from 4.18.0 to 4.22.4 in /tests/vite-app by @ dependabot in #175
  • fix/ecdsa verification to use raw signature format per jwa spec by @ ottokruse in #179
  • Add (very) minimal support for AWS ALB by @ ottokruse in #180
  • fix: actually use custom error object by @ ottokruse in #182
  • Feat/eddsa support by @ ottokruse in #181
  • feat: Allow issuer null by @ ottokruse in #183
  • v5.0.0 by @ ottokruse in #184

  Full Changelog: v4.0.1...v5.0.0

from aws-jwt-verify GitHub release notes

---

[!IMPORTANT]

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.
• Max score is 1000. Note that the real score may have changed since the PR was raised.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[coderabbitai[bot]]

[!IMPORTANT]

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• [ ] Create PR with unit tests
• [ ] Post copyable unit tests in a comment
• [ ] Commit unit tests in branch snyk-upgrade-54f1200f39a2731b537b1a8cfee31ba8

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}