Skip to content

fix: update jws to 4.0.0 to resolve SlowBuffer deprecation #1001

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: update jws to 4.0.0 to resolve SlowBuffer deprecation #1001

wants to merge 1 commit into from
+1 −1

Conversation

@l7aromeo
Copy link

@l7aromeo l7aromeo commented Nov 1, 2025
edited
Loading

Description

This PR updates the jws dependency from 3.2.2 to 4.0.0 to resolve compatibility issues with Node.js 25+, where the SlowBuffer constructor has been removed.

Problem:
The current dependency chain includes an outdated version of jwa (1.4.1) that depends on buffer-equal-constant-time, which uses the deprecated SlowBuffer API. This causes the library to crash on Node.js 25 with the error:

TypeError: Cannot read properties of undefined (reading 'prototype')

Solution:
Updating jws to 4.0.0 brings in jwa 2.0.0, which replaced buffer-equal-constant-time with Node.js's native crypto.timingSafeEqual() method (introduced in jwa 1.4.2).

Dependency chain:

  • Before: jsonwebtoken → jws 3.2.2 → jwa 1.4.1 → buffer-equal-constant-time (uses SlowBuffer ❌)
  • After: jsonwebtoken → jws 4.0.0 → jwa 2.0.0 → crypto.timingSafeEqual (native, no SlowBuffer ✅)

Compatibility:

  • ✅ Node.js 25+ (SlowBuffer removed)
  • ✅ Node.js 22 LTS
  • ✅ Node.js 20 LTS
  • ✅ Node.js 18 LTS

This is a non-breaking change as jws 4.0.0 maintains API compatibility with 3.x.

References

Testing

Manual Testing:

  • Tested on Node.js 25.0.0 - library loads and functions correctly ✅
  • Tested on Node.js 22.12.0 (LTS) - backward compatibility confirmed ✅
  • Tested on Node.js 20.18.1 (LTS) - backward compatibility confirmed ✅

Test Commands:

# Install and verify
npm install
npm test

# Verify JWT operations work
node -e "const jwt = require('./'); const token = jwt.sign({foo: 'bar'}, 'secret'); console.log(jwt.verify(token, 'secret'));"

Environment:

  • Node.js: 25.0.0, 22.12.0, 20.18.1
  • npm: 10.x/11.x
  • OS: macOS 26.1

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
    • No documentation changes needed - this is an internal dependency update with no API changes
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@l7aromeo
fix: update jws to 4.0.0 to resolve SlowBuffer deprecation
814511d 
Dependency chain issue:
- jsonwebtoken → jws 3.2.2 → jwa 1.4.1 → buffer-equal-constant-time
- buffer-equal-constant-time uses SlowBuffer (removed in Node.js 25)
- jwa 1.4.2+ replaced buffer-equal-constant-time with crypto.timingSafeEqual
- jws 4.0.0 includes jwa 2.0.0 which has the fix
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@l7aromeo