refactor: migrate from jsonwebtoken to jose v5 #1498
Conversation
…s no longer maintained
fbartho
left a comment
fbartho
left a comment
There was a problem hiding this comment.
I tried, but failed to finish assessing Jose as a library, sorry, but I wanted to post this other content.
I support a better maintained library, but this code feels relatively security sensitive, so I’m worried.
| "https-proxy-agent": "^7.0.2", | ||
| "hyperlinker": "^1.0.0", | ||
| "ini": "^5.0.0", | ||
| "jose": "^5.0.0", |
There was a problem hiding this comment.
This seems like a relatively high-sensitivity dependency. It's good that we're working on using something more maintained.
Would you mind explaining why you're pulling in version 5.0.0 instead of the latest version? (It looks like 6.1.1 is the latest)?
There was a problem hiding this comment.
Thank you for your response.
This article explains the topic very clearly.
https://dev.to/silentwatcher_95/why-you-should-delete-jsonwebtoken-in-2025-1o7n
There was a problem hiding this comment.
Since v6 is ESM-only, it won’t run here.
Supported Versions
| Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ | Runtime and Module type |
|---|---|---|---|---|
| v6.x | [Security Policy] | ✅ | ✅ | Universal[^universal] ESM[^cjs] |
| v5.x | [Security Policy] | ❌ | ❌ | Universal[^universal] CJS + ESM |
| v4.x | [Security Policy] | ❌ | ❌ | Universal[^universal] CJS + ESM |
| v2.x | [Security Policy] | ❌ | ❌ | Node.js CJS |
|
This seems reasonable to me, GitHub App based Danger setups are practically non-existent to my knowledge (I added the support for Peril which hasn't seen an update in a long time) and from an eyeball this seems correct 👍🏻 |
3 participants
Why this change
• jsonwebtoken is no longer actively maintained and has accumulated a large dependency tree.
• jose is a modern, actively maintained, and dependency-light alternative with better security posture.
What changed
• Updated token generation/verification logic in Danger.js to use jose.
• Adjusted the code paths to match jose’s async API and stricter type expectations.
The project’s current version (v5) is the last one that supports CommonJS; v6+ is ESM-only, which is incompatible with Danger.js’ CJS execution environment.
Verification
• All existing unit tests are passing.
• Additional validation will be required in downstream workflows, as token handling can differ subtly between libraries (expiration, algorithm defaults, error classes, etc.).
• No functional changes expected, but we should keep an eye on the next CI runs using Danger.
Benefits
• Reduced dependency footprint.
• Better long-term security and maintenance prospects.
• Aligns with current recommendations for jose/JWT handling.