Weak Key Acceptance

[JWTSecAPI]

Hi, We are a research group dedicated to helping developers build secure applications. We have developed a cryptographic misuse detector that focuses on the secure implementation and use of JSON Web Tokens (JWT). While analyzing your impressive public repository, our detector identified several security concerns.
Specifically, we found that the HMAC and RSA key lengths used in your JSON Web Signature (JWS) implementation do not meet recommended security standards. According to CWE-326 (Inadequate Encryption Strength), using keys that are too short can lead to serious vulnerabilities and potential attacks.
We kindly suggest reviewing and updating the key lengths to ensure that your cryptographic implementations adhere to best practices and maintain robust security.
Thank you for your attention.

[simo5]

Please provide more data here.
The HMAC algorithms all have a fixed key size by default so I do not understand what it means to have weak Key acceptance for those.
As for RSA, we leave to the user application the choice of keys, the default (2048 for generation) is more than adequate.