Skip to content

Upgrade jwks-rsa to ESM and jose from 4.15.4 to 6.1.0 #444

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yisyang wants to merge 6 commits into
base: master
Choose a base branch
from
Open

Upgrade jwks-rsa to ESM and jose from 4.15.4 to 6.1.0 #444

yisyang wants to merge 6 commits into from
+8,408 −2,401

Conversation

@yisyang
Copy link

@yisyang yisyang commented Sep 18, 2025
edited
Loading

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR upgrades jose dependency from 4.15.4 to 6.1.0 in order to resolve a high score CVE CVE-2025-45767

Resolves #443

Note changes will require later version of Node.js.

As mentioned by lotmek quoting jose specifications, it is now possible to import ESM packages from CommonJS using require(esm) by default in the latest Node.js versions:

^20.19.0
^22.12.0
>= 23.0.0

References

jwks-rsa has high score vulnerability from jose dependency #443

Testing

  • This change adds test coverage for new/changed/fixed functionality
  • Manual testing in live environment that uses Next.js that integrates against browser SPA OAuth flow (PKCE + jwks URI).

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

Important Notes

  • jwks-rsa converted to ESM, a new build process is added (by rollup package) to release packaged dist/index.js
  • downstream Jest test will needs custom mock to work (see README > Known Issues)

@yisyang yisyang requested a review from a team as a code owner September 18, 2025 20:46
@yisyang

This comment was marked as resolved.

Sign in to view
@yisyang yisyang changed the title Upgrade jose from 4.15.4 to 6.1.0 NOT READY - Upgrade jose from 4.15.4 to 6.1.0 Sep 19, 2025
@yisyang
Copy link
Author

yisyang commented Sep 19, 2025

Results:

  • jwks-rsa converted to ESM
  • jose upgraded to 6.1.0
  • All tests passing
  • Downstream NestJS app launches, login works
  • Downstream Jest test needs custom mock to work (see README > Known Issues)

@yisyang yisyang changed the title NOT READY - Upgrade jose from 4.15.4 to 6.1.0 Upgrade jwks-rsa to ESM and jose from 4.15.4 to 6.1.0 Sep 19, 2025
@radioflyer-sbs
Copy link

radioflyer-sbs commented Sep 25, 2025

Is there any movement on this? We're literally waiting on this PR to go through to resolve our vulnerability issue. If this isn't going somewhere, we'll have to look for other means.

@yisyang
Copy link
Author

yisyang commented Sep 26, 2025

@stevenwong-okta @auth0/project-dx-sdks-engineer-codeowner

@tylor-metrics
Copy link

tylor-metrics commented Sep 26, 2025

Watching for this change to hit as well.

@apmechev
Copy link

apmechev commented Nov 7, 2025

shouldn't ./dist/ be added to .gitignore?

Anyway thanks for doing this! Hope it gets released soon

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

jwks-rsa has high score vulnerability from jose dependency

4 participants

@yisyang @radioflyer-sbs @tylor-metrics @apmechev