feat: upgrade jose dependency to v6#486
Conversation
cschetan77
changed the title
package.json
Outdated
There was a problem hiding this comment.
Should we update this ("node": ">=14") as-well ?
There was a problem hiding this comment.
I will rebase this PR once node upgrade PR #485 merges, and should reflect above.
| switch (jwk.crv) { | ||
| case 'P-256': | ||
| return 'ES256'; | ||
| case 'secp256k1': |
There was a problem hiding this comment.
ES256K is still allowed in config.js.
So ES256K is allowed first, but fail later when the signing key is resolved.
Is this expected ?
There was a problem hiding this comment.
No, this is not expected.
I've removed the ES256K from the list of supported algorithms in config.js.
| case 'P-256': | ||
| return 'ES256'; | ||
| case 'secp256k1': | ||
| return 'ES256K'; |
There was a problem hiding this comment.
Can we add test coverage for this removal ?
There was a problem hiding this comment.
Was reluctant to add a spec for this specific unsupported algo (also there was no file for utils spec).
But have created a utitls.test.js and added a spec.
2 participants
🚀 Changes
This PR updates the
josedependency to v6.The APIs used by the SDK -
This upgrade introduces the following breaking changes and architectural shifts:
CryptoKeyReturn TypeIn jose@6,
importJWKhas transitioned to returning aCryptoKeyobject (part of the Web Crypto API) rather than the legacy Node.js-specificKeyObject.Impact: This ensures the SDK uses standardized web primitives, making the underlying cryptographic operations more future-proof and compatible with modern environments.Note: Support orKeyObjectis still kept.secp256k1(ES256K) SupportThis release drops support for the ES256K algorithm (secp256k1 curve).
Reason: jose has moved to a strict WebCrypto-first model. Because secp256k1 is not a standardized curve in the SubtleCrypto specification, maintaining a non-standard implementation would compromise the library's goal of strict spec alignment and cross-platform consistency.Benefit: This change significantly reduces the maintenance surface and potential attack vectors by relying solely on standardized, highly-audited cryptographic implementations.
Minimum Node.js Version: Requires Node.js >= 20.19.0 (as established in the PR #485 ).
Algorithm Support: Users relying on ES256K for signing/verification will need to transition to a supported curve (e.g., ES256 / P-256) or handle legacy keys externally.
References
Testing