Gathering detailed insights and metrics for jose
Gathering detailed insights and metrics for jose
Gathering detailed insights and metrics for jose
Gathering detailed insights and metrics for jose
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes
npm install jose
Typescript
Module System
Node Version
NPM Version
99.7
Supply Chain
100
Quality
89.1
Maintenance
100
Vulnerability
100
License
Total
956,807,437
Last Day
483,537
Last Week
11,795,178
Last Month
48,254,796
Last Year
489,671,056
5,780 Stars
1,555 Commits
320 Forks
39 Watching
8 Branches
31 Contributors
Updated on 08 Dec 2024
Minified
Minified + Gzipped
TypeScript (62.38%)
JavaScript (36.95%)
Shell (0.68%)
Cumulative downloads
Total Downloads
Last day
13.2%
483,537
Compared to previous day
Last week
10.8%
11,795,178
Compared to previous week
Last month
-2.2%
48,254,796
Compared to previous month
Last year
88%
489,671,056
Compared to previous year
No dependencies detected.
jose
is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. The module is designed to work across various Web-interoperable runtimes including Node.js, browsers, Cloudflare Workers, Deno, Bun, and others.
If you want to quickly add JWT authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. Create an Auth0 account; it's free!
Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
jose
has no dependencies and it exports tree-shakeable ESM. CJS is also supported.
jose
is distributed via npmjs.com, deno.land/x, cdnjs.com, jsdelivr.com, and github.com.
example
ESM import
1import * as jose from 'jose'
example
CJS require
1const jose = require('jose')
The jose
module supports JSON Web Tokens (JWT) and provides functionality for signing and verifying tokens, as well as their JWT Claims Set validation.
jwtVerify
function
SignJWT
classThe jose
module supports encrypted JSON Web Tokens and provides functionality for encrypting and decrypting tokens, as well as their JWT Claims Set validation.
jwtDecrypt
functionEncryptJWT
classThe jose
module supports importing, exporting, and generating keys and secrets in various formats, including PEM formats like SPKI, X.509 certificate, and PKCS #8, as well as JSON Web Key (JWK).
The jose
module supports signing and verification of JWS messages with arbitrary payloads in Compact, Flattened JSON, and General JSON serialization syntaxes.
The jose
module supports encryption and decryption of JWE messages with arbitrary plaintext in Compact, Flattened JSON, and General JSON serialization syntaxes.
The following are additional features and utilities provided by the jose
module:
The jose
module is compatible with JavaScript runtimes that support the utilized Web API globals and standard built-in objects or are Node.js.
The following runtimes are supported (this is not an exhaustive list):
Please note that certain algorithms may not be available depending on the runtime used. You can find a list of available algorithms for each runtime in the specific issue links provided above.
Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ |
---|---|---|---|
v5.x | ✅ | ✅ | ✅ |
v4.x | ✅ | ❌ | ❌ |
v2.x | ✅ | ❌ | ❌ |
The algorithm implementations in jose
have been tested using test vectors from their respective specifications as well as RFC7520.
Stable Version
9
5.3/10
Summary
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
Affected Versions
< 2.0.7
Patched Versions
2.0.7
5.3/10
Summary
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
Affected Versions
>= 3.0.0, <= 4.15.4
Patched Versions
4.15.5
5.3/10
Summary
JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected Versions
>= 4.0.0, <= 4.9.1
Patched Versions
4.9.2
5.3/10
Summary
JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected Versions
>= 3.0.0, <= 3.20.3
Patched Versions
3.20.4
5.3/10
Summary
JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected Versions
>= 2.0.0, <= 2.0.5
Patched Versions
2.0.6
5.3/10
Summary
JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected Versions
>= 1.0.0, <= 1.28.1
Patched Versions
1.28.2
5.9/10
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose
Affected Versions
>= 3.0.0, < 3.11.4
Patched Versions
3.11.4
5.9/10
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose
Affected Versions
>= 2.0.0, < 2.0.5
Patched Versions
2.0.5
5.9/10
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose
Affected Versions
>= 1.0.0, < 1.28.1
Patched Versions
1.28.1
Reason
30 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
Reason
no binaries found in the repo
Reason
packaging workflow detected
Details
Reason
0 existing vulnerabilities detected
Reason
SAST tool is not run on all commits -- score normalized to 6
Details
Reason
branch protection is not maximal on development and all release branches
Details
Reason
Found 1/28 approved changesets -- score normalized to 0
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
project is not fuzzed
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
security policy file not detected
Details
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
Score
Last Scanned on 2024-12-02
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More