chore(deps): update dependency jose to v5 - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
jose	2.0.7 -> 5.4.0

---

Release Notes

panva/jose (jose)

v5.4.0

Compare Source

Features

• expose JWT's payload in JWTClaimValidationFailed instances (58bcffb), closes #​680

Refactor

• add explicit return types everywhere (cc2b2d7)

v5.3.0

Compare Source

Features

• allow observing remote JWKS resolver state and its manual reload (fa8b639)

Refactor

• if should not be the only statement in else blocks (a6b716b)

v5.2.4

Compare Source

Refactor

• use createLocalJWKSet instead of LocalJWKSet in createRemoteJWKSet (a7c566c)

v5.2.3

Compare Source

Refactor

• move iv generation and optional outputs around (05c4351)

v5.2.2

Compare Source

Fixes

• types: iv and tag is optional in JSON serializations (53019cd)

v5.2.1

Compare Source

Fixes

• build: refactor export targets for browser, node cjs, and node esm builds (50cbc65)

v5.2.0

Compare Source

Features

• extend JWT NumericDate setter syntax (ae363c3)

v5.1.3

Compare Source

v5.1.2

Compare Source

Fixes

• do not mutate JWTVerifyOptions.requiredClaims (1bf9cec), closes #​610

v5.1.1

Compare Source

Refactor

• deprecate the RSA1_5 JWE Algorithm (f746da1)

v5.1.0

Compare Source

Features

• add payload generics to jose.decodeJwt (9de49e2), closes #​604

v5.0.2

Compare Source

Fixes

• createRemoteJWKSet: ensure a default user-agent header is present (887dd3c), closes #​600

v5.0.1

Compare Source

Fixes

• also use ES2020 in the CDN bundles (8c4d390)

v5.0.0

Compare Source

⚠ BREAKING CHANGES

• Node.js: return Uint8Array (not a Buffer) from base64url.decode
• Browser distribution is now built using ES2020 as a target
• Node.js distribution is now built using ES2022 as a target
• types: jwtVerify and jwtDecrypt type argument for the resolved
  KeyLike type is now a second optional type argument following a type
  for the JWT Claims Set (aka payload)
• PBES2 Key Management Algorithms' use in decrypt
  functions now requires the use of the keyManagementAlgorithms option
  to explicitly opt-in for their use.
• importJWK "octAsKeyObject" option was removed.
  importJWK will no longer return CryptoKey or KeyObject for "oct" (octet
  sequence) JWK key types, it will instead always return a Uint8Array
  formed from the "k" (Key Value) Parameter regardless of the other JWK
  Parameters that may be present.
• End-Of-Life versions of Node.js as of October 2023 are
  no longer supported. Node.js 18, 20, and 21 and future releases are
  the ones that remain supported.
• The JWE "zip" (Compression Algorithm) Header Parameter
  is no longer supported by this JOSE implementation.

Features

• add Date as valid input to timestamp setting functions (bd830a4)
• default to an empty payload in JWT producing constructors (98d6ca1)
• types: add optional Generics for JWT verify and decrypt (61bd2a0), closes #​568

Reverts

• Revert "test: fix test under lts/erbium" (b64b6c7)

Refactor

• Browser distribution is now built using ES2020 as a target (1836684)
• drop support for EOL Node.js versions (b5aee54)
• importJWK always returns a Uint8Array for symmetric key inputs (163e1b0)
• Node.js distribution is now built using ES2022 as a target (239697a)
• Node.js: return Uint8Array (not a Buffer) from base64url.decode (02d5182)
• PBES2 Algorithms require explicit opt-in during verification (e2da031)
• remove support for JWE "zip" (Compression Algorithm) Header Parameter (16998b1)
• types: rename type parameters for the KeyLike returns (eddd400)
• update allow list error messages (fe8114c)

v4.15.5

Compare Source

Fixes

• add a maxOutputLength option to zlib inflate (1b91d88), fixes CVE-2024-28176

v4.15.4

Compare Source

Fixes

• types: export GetKeyFunction (#​592) (936c9df), closes #​591

v4.15.3

Compare Source

v4.15.2

Compare Source

Fixes

• build: add a node target for jose-browser-runtime releases (abb63d0)

v4.15.1

Compare Source

Fixes

• resolve missing types for the cryptoRuntime const (1627965)

v4.15.0

Compare Source

Features

• export the used crypto runtime as a constant (0681dda)

v4.14.6

Compare Source

Fixes

• build: publish bundle and umd files with jose-browser-runtime module (62fcbcc), closes #​571

v4.14.5

Compare Source

Refactor

• catch type error when decoding base64url signature (#​569) (935e920)
• catch type errors when decoding various base64url strings (9024e87)

v4.14.4

Compare Source

Refactor

• cleanup NODE-ED25519 workerd workarounds (072e83d)

v4.14.3

Compare Source

Reverts

• Revert "fix(types): headers and payloads may only be JSON values and primitives" (06d8101), closes #​534

v4.14.2

Compare Source

Fixes

• types: headers and payloads may only be JSON values and primitives (24f306e)

v4.14.1

Compare Source

v4.14.0

Compare Source

Features

• add requiredClaims JWT validation option (eeea91d)

v4.13.2

Compare Source

Refactor

• src/util/decode_protected_header.ts (5716725)

v4.13.1

Compare Source

Fixes

• workerd: avoid "The script will never generate a response" edge cases completely (96a8c99), closes #​355 #​509

v4.13.0

Compare Source

Features

• types: allow generics to aid in CryptoKey or KeyObject narrowing of KeyLike (6effa4d)

Fixes

• make jose.EmbeddedJWK arguments optional (20610a9)

v4.12.2

Compare Source

Fixes

• types: declare explicit return from EmbeddedJWK (46934ac)

v4.12.1

Compare Source

Refactor

• clarify when alg is used and required on key imports (19e525f)
• node: have node:crypto deal with x509 parsing (45bb45d)

v4.12.0

Compare Source

Features

• enable key iteration over JWKSMultipleMatchingKeys (a278acd)

v4.11.4

Compare Source

Fixes

• build: ignore deno files in npm publishes (b3d6a11)

v4.11.3

Compare Source

Fixes

• CF Workers: improve miniflare compat with different Node.js versions, get ready for future non-proprietary support (3406b9f), closes #​446 #​495 #​497

v4.11.2

Compare Source

Refactor

• node: dry node version checks (aff2f7c)

v4.11.1

Compare Source

v4.11.0

Compare Source

Features

• add bun as a supported runtime (3a63631)

Fixes

• respect JWK ext for symmetric keys (20557fc)

v4.10.4

Compare Source

Fixes

• typo in importPKSC8 error message (#​468) (746bc64)
• workaround for invalid use checks on CF Workers and Deno (e4d04eb)

v4.10.3

Compare Source

v4.10.2

Compare Source

v4.10.1

Compare Source

v4.10.0

Compare Source

Features

• Curve25519, and Curve448 support for WebCryptoAPI runtimes (fea359a)

Fixes

• importX509: handle length encodings better (47d0d77), closes #​459

v4.9.3

Compare Source

Refactor

• update CEK length validation error message (81a92a9)
• update key input validation error messages (2eac34a)
• update keylike description for WinterCG (6741679)

v4.9.2

Compare Source

Fixes

• limit default PBES2 alg's computational expense (03d6d01)

v4.9.1

Compare Source

Fixes

• deno: add a Deno package entrypoint (9f3c459)

v4.9.0

Compare Source

Features

• add support for RFC 9278 - JWK Thumbprint URI (d06ce65)

Refactor

• consume some base64url decode errors (#​436) (caaf2c3)
• unify JOSENotSupported throw on key export (fe5d093)

v4.8.3

Compare Source

v4.8.1

Compare Source

Fixes

• typescript: add types export for nodenext module resolution (#​406) (5a6d8f0)

v4.8.0

Compare Source

Features

• add "worker" export in package.json (#​400) (c58c80a)
• optional headers options for createRemoteJWKSet (#​397) (b4612f5)

v4.7.0

Compare Source

Features

• add createRemoteJWKSet cacheMaxAge option (5017d95), closes #​394

v4.6.2

Compare Source

Fixes

• dont check JWT iat is in the past unless maxTokenAge is used (96d85c7)

v4.6.1

Compare Source

v4.6.0

Compare Source

Features

• mark APIs and parameters that can lead to footguns as deprecated (0ddbcc6)
• types: include JSDoc in the types (74187a9)

v4.5.3

Compare Source

Fixes

• web api runtime: rely on default fetch init values (df6d966)

v4.5.2

Compare Source

Fixes

• decrypting empty ciphertext compact JWEs (#​374) (95fe597)

v4.5.1

Compare Source

Fixes

• typescript: allow synchronous get key functions (7c99153)

v4.5.0

Compare Source

Features

• add jose.decodeJwt utility (3d2a2b8)

Fixes

• concurrent fetch await in cloudflare (e44cd18), closes #​355

v4.4.0

Compare Source

Features

• add createLocalJWKSet, resolver to verify using a local JWKSet (bd7bf37)

v4.3.9

Compare Source

Fixes

• only add y to the epk header parameter when EC keys are used (dd6775e), closes #​348

v4.3.8

Compare Source

v4.3.7

Compare Source

Fixes

• typescript: b64: true is fine to use in JWT, its useless, but allowed (#​324) (ee401c9)

v4.3.6

Compare Source

Fixes

• electron: rsa-pss keys are never supported (188c1f7)

v4.3.5

Compare Source

Fixes

• typescript: b64 header regression (#​324) (9da0a7f)

v4.3.4

Compare Source

Fixes

• Compact JWS verification handles a zero-length payload string (7c70e7b)

v4.3.3

Compare Source

Fixes

• typescript: apply updated compact and jwt headers to compact/jwt verify and decrypt results (0c1946c)

v4.3.2

Compare Source

Fixes

• createRemoteJWKSet handles all JWS syntaxes (aaba8f3)
• typescript: Compact JWS Header Parameters has alg and enc as required (0fa87af)
• typescript: Compact JWS Header Parameters has alg as required (c7fabd0)
• typescript: Signed JWT Header Parameters has alg as required and b64 as never (79cbd82)

v4.3.0

Compare Source

Features

• add GeneralSign signature and GeneralEncrypt recipient builder chaining (cfc93f5)

v4.2.1

Compare Source

Fixes

• node: dont mention CryptoKey in versions without webcrypto (401cabf)

v4.2.0

Compare Source

Features

• General JWE Encryption (94eca81)

v4.1.5

Compare Source

Fixes

• importX509 certificate values that do not include a version number (51a18b6), closes #​308

v4.1.4

Compare Source

Fixes

• allow shorter HMAC secrets (57126f1)

v4.1.3

Compare Source

Fixes

• edge-functions: don't use globalThis (3952030)

v4.1.2

Compare Source

Fixes

• build: ensure cjs/esm specific packages have the right main entry (2f4526a)

v4.1.1

Compare Source

Fixes

• typescript: work around potentially missing global URL from DOM lib (7ed731c), closes #​295

v4.1.0

Compare Source

Features

• web: publish umd and bundle files to cdnjs.com (3b3100a)

v4.0.4

Compare Source

Fixes

• web: check Uint8Array CEK lengths, refactor for better tree-shaking (e8299f2)

v4.0.3

Compare Source

Fixes

• web: checking cryptokey applicability early (89dc2aa)

v4.0.2

Compare Source

Fixes

• typescript: export ProduceJWT (#​285) (2b8738e)

v4.0.1

Compare Source

Fixes

• typescript: re-export all types from index.d.ts (d68f104)

v4.0.0

Compare Source

⚠ BREAKING CHANGES

• All module named exports have moved from subpaths to
  just "jose". For example, import { jwtVerify } from 'jose/jwt/verify'
  is now just import { jwtVerify } from 'jose'.
• All submodule default exports and named have been
  removed in favour of just "jose" named exports.
• typescript: remove repeated type re-exports
• The undocumented jose/util/random was removed.
• The jose/jwk/thumbprint named export
  is renamed to calculateJwkThumbprint, now
  import { calculateJwkThumbprint } from 'jose'
• The deprecated jose/jwk/parse module was
  removed, use import { importJWK } from 'jose' instead.
• The deprecated jose/jwk/from_key_like module was
  removed, use import { exportJWK } from 'jose' instead.

Refactor

• redo exports to support broader tooling (dd2cf9e)
• remove util/random (914e47f)
• removed the deprecated jwk/from_key_like module (ec1d0e7)
• removed the deprecated jwk/parse module (8d3cc3b)
• rename calculateThumprint to calculateJwkThumbprint (5afb713)
• typescript: remove repeated type re-exports (3e137d2)

v3.20.4

Compare Source

Fixes

• limit default PBES2 alg's computational expense (d530c30)

v3.20.3

Compare Source

Fixes

• remove clutter when tree shaking browser dist (73ba370)
• typescript: JWTExpired error TS2417 (373e0e4)

v3.20.2

Compare Source

Fixes

• allow tree-shaking of errors (0824301)

v3.20.1

Compare Source

Fixes

• typescript: PEM import functions always resolve a KeyLike, never a Uint8Array (8ef3a8e)

v3.20.0

Compare Source

Features

• improve key input type errors, remove dependency on @​types/node (a13eb04)

Fixes

• proper createRemoteJWKSet timeoutDuration handling (efa1619), closes #​277

v3.19.0

Compare Source

Features

• return resolved key when verify and decrypt resolve functions are used (49fb62c)

v3.18.0

Compare Source

Features

• add X.509/SPKI/PKCS8 key import and SPKI/PKCS8 export functions (a2af0f4)

v3.17.0

Compare Source

Features

• cloudflare workers: add support for EdDSA using Ed25519 (0967369)

v3.16.1

Compare Source

Fixes

• guard Sign payloads and Encrypt plaintext argument types (10a18f2)

v3.16.0

Compare Source

Features

• node: support rsa-pss keys in Node.js >= 16.9.0 for sign/verify (0b112cf)

v3.15.5

Compare Source

Fixes

• omit some fetch options when running in Cloudflare Workers env (ced065a), closes #​255

v3.15.4

Compare Source

Fixes

• deno: ignore incomplete webcrypto api type errors (c5f2262)
• typescript: generateKeyPair never returns Uint8Array (73adc01)

v3.15.3

Compare Source

Fixes

• typescript: GeneralJWSInput and GeneralJWS omit (bc0b42f)

v3.15.2

Compare Source

v3.15.1

Compare Source

Fixes

• typescript: remove file extensions from types/**/*.d.ts files (0c432e5), closes #​222

v3.15.0

Compare Source

Features

• experimental Deno build & publish (5c7d265)

Fixes

• typescript: allow sign results to be passed to verify (59aa96d)

v3.14.4

Compare Source

Fixes

• throw JWEInvalid when jwe protected header is invalid (991d435)
• throw JWSInvalid when jws protected header is invalid (#​244) (1fc79aa)

v3.14.3

Compare Source

Fixes

• docs: update doc links again (26c4361)

v3.14.2

Compare Source

Fixes

• docs: update doc links (86f9134)

v3.14.1

Compare Source

Fixes

• typescript: export generate key pair result interface (2b5cc28)

v3.14.0

Compare Source

Features

• add verbose key type error messages (df56b94)

Fixes

• typescript: remove file extensions from .d.ts files (e091f0f), closes #​222
• AES Key Wrap input type check (b83821b)
• guard SignJWT.prototype.sign() from missing protected header (4103719), closes #​221
• typescript: add "jku" header to JoseHeaderParameters (#​220) (72a72db)

v3.13.0

Compare Source

Features

• typescript: export consume module interface types (#​213) (13fa3d8)

v3.12.3

Compare Source

Fixes

• browser: remove the use of a node std-lib in decodeProtectedHeader (d9d4a5f), closes #​206

v3.12.2

Compare Source

Performance

• node: use util.types.is* helpers when available (d36311d)

v3.12.1

Compare Source

Fixes

• browser: avoid global-conflicting variable name fetch (#​199) (b2c6273)

v3.12.0

Compare Source

Features

• webcrypto: allow generate* modules extractable: false override (afae428)

v3.11.6

Compare Source

Fixes

• swallow promisified crypto.verify errors (d512ede)

v3.11.5

Compare Source

Fixes

• isObject helper in different vm contexts or jest re-assigned globals (7819df7), closes #​178

v3.11.4

Compare Source

Fixes

• defer AES CBC w/ HMAC decryption after tag verification passes (579485c)

v3.11.3

Compare Source

Fixes

• node: check CryptoKey algorithm & usage before exporting KeyObject (dab4b2f)

v3.11.2

Compare Source

Fixes

• assert KeyLike input types, change "any" types to "unknown" (edb83a8)

v3.11.1

Compare Source

Fixes

• node: crypto.verify callback invocation with a private keyobject (d3d4acd)

v3.11.0

Compare Source

Features

• export error codes as static properties (89d8003), closes #​170

v3.10.0

Compare Source

Features

• node: use libuv threadpool to sign in node >= 15.12.0 (cf5074e)
• node: use libuv threadpool to verify in node >= 15.12.0 (ae9a7f4)
• node: use native JWK export in node >= 15.9.0 (7f3cc44)
• node: use native JWK import in node >= 15.12.0 (f0c2a64)

v3.9.0

Compare Source

Features

• add named exports for all modules (5cba6b0)

v3.8.0

Compare Source

Features

• publish alternative Node.js and Browser specific distributions (7856dad)

v3.7.1

Compare Source

Fixes

• swallow invalid signature encoding errors (e0adf49)

v3.7.0

Compare Source

Features

• electron >=12.0.0 is now supported (and tested on ci) (8fffd3e)

Fixes

• electron: only call (de)cipher.setAAD() when aad is not empty (a5a6c4d)
• electron: properly ASN.1 encode [0x00] when converting RSA JWKs (433f020)

v3.6.2

Compare Source

Fixes

• typescript: update maxTokenAge type and examples (2c358e0)

v3.6.1

Compare Source

Fixes

• node runtime json fetch handles connection errors properly (fc584b2)

v3.6.0

Compare Source

Features

• allow CryptoKey instances in a regular non-webcrypto node runtime (e8d41a9)

v3.5.4

Compare Source

Fixes

• export package.json (8c29107), closes #​157

v3.5.3

Compare Source

Fixes

• workaround downstream dependency issues messing with http (2e58005), closes #​154

v3.5.2

Compare Source

Performance

• use 'base64url' encoding when available in Node.js runtime (808f06c)
• use KeyObject.prototype asymmetricKeyDetails when available (ad88ee2)

v3.5.1

Compare Source

Fixes

• workaround for RangeError in browser runtime base64url (ed32b0d)

v3.5.0

Compare Source

Features

• added JWE General JSON Serialization decryption (16dea9e)

v3.4.0

Compare Source

Features

• added JWS General JSON Serialization signing (6fb862c), closes #​129
• added JWS General JSON Serialization verification (55b7781), closes #​129
• added utility function for decoding token's protected header (fa29d68)

v3.3.2

Compare Source

Fixes

• typescript: ref dom lib via triple-slash to fix some compile issues (175f273), closes #​126

v3.3.1

Compare Source

Fixes

• botched v3.3.0 release (1c3e116)

v3.3.0

Compare Source

Features

• support recognizing proprietary crit header parameters (5163116), closes #​123

Fixes

• reject JWTs with b64: false (691b44a)

v3.2.0

Compare Source

Features

• allow specifying modulusLength when generating RSA Key Pairs (5f7a0e9), closes #​121

v3.1.3

Compare Source

Fixes

• typescript: refactored how types are published (2937363), closes #​119

v3.1.2

Compare Source

Fixes

• handle globalThis undefined in legacy browsers (b83c59b)

v3.1.1

Compare Source

Fixes

• global detection in a browser worker runtime (56ff8fa)

v3.1.0

Compare Source

Features

• added "KeyLike to JWK" module (7a8418e), closes #​109
• allow compact verify/decrypt tokens to be uint8array encoded (e39c3db)
• allow http.Agent and https.Agent passed in remote JWK Set (38494a8)

v3.0.2

Compare Source

Fixes

• build: publish esm submodules (7b6364f), closes #​104

v3.0.1

Compare Source

Fixes

• typescript: fix compiling by adding .d.ts files for runtime modules (d9cb573)

v3.0.0

Compare Source

⚠ BREAKING CHANGES

• Revised, Promise-based API
• No dependencies
• Browser support (using Web Cryptography API)
• Support for verification using a remote JWKS endpoint

Features

• Revised API, No dependencies, Browser Support, Promises (

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
mc-app-kit-playground	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 5, 2024 2:43pm
merchant-center-application-kit-components-playground	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 5, 2024 2:43pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 3429819

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[CarlosCortizasCT]

I had to rebuild the fixtures because most of the jose APIs have changed.

[emmenko]

Thanks!

[CarlosCortizasCT]

jose APIs are now async so I found this initializer the simplest way to go.

[emmenko]

You can also check how we initialize this in our MC services (auth package).

Anyway, if it does the job all good.

[CarlosCortizasCT]

This is needed as jose now only exports esm module.

[CarlosCortizasCT]

This was the trickiest part as I was having a very weird error but finally got some help in the linked GitHub issue.

[emmenko]

Thanks for finally upgrade this!

PS: don't forget a changeset 😉

[CarlosCortizasCT]

Ok, the current state of the PR is as far I could get but still is not valid.

I managed to update to jose's dependency latest version and update our tests as needed, however, there's a problem with the new version in the testing context.

Example:

The problem seem related to the new version using the Uint8Array class and this one being problematic in jest.
I found this GitHub issue where they talk about this problem but applying the suggested change only makes the tests pass when run in isolation but it fails when all tests are run.

Since this is a dependency we only use for one test suite in the repository, @emmenko mentioned we could maybe just keep the current version and forget about the update.
At this point, I also vote for that suggestion.

@commercetools/shield-team-ext-and-infra please let me know your thoughts. 🙏

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.