Gathering detailed insights and metrics for jose
Gathering detailed insights and metrics for jose
JWA, JWS, JWE, JWT, JWK, JWKS for Node.js, Browser, Cloudflare Workers, Deno, Bun, and other Web-interoperable runtimes
Installations
npm install joseScore
99.7
Supply Chain
100
Quality
89.2
Maintenance
100
Vulnerability
100
License
Developer
panva
Developer Guide
BETA
Module System
CommonJS, ESM, UMD
Min. Node Version
Typescript Support
Yes
Node Version
20.18.0
NPM Version
10.8.2
Statistics
5,741 Stars
1,553 Commits
319 Forks
39 Watching
8 Branches
31 Contributors
Updated on 28 Nov 2024
Languages
TypeScript (62.4%)
JavaScript (36.92%)
Shell (0.68%)
Total Downloads
Cumulative downloads
Total Downloads
941,447,576
Last day
-10.6%
2,058,383
Compared to previous day
Last week
1.6%
11,932,417
Compared to previous week
Last month
6.4%
50,311,755
Compared to previous month
Last year
91%
485,613,656
Compared to previous year
Daily Downloads
Weekly Downloads
Monthly Downloads
Yearly Downloads
No dependencies detected.
Versions
jose
jose is JavaScript module for JSON Object Signing and Encryption, providing support for JSON Web Tokens (JWT), JSON Web Signature (JWS), JSON Web Encryption (JWE), JSON Web Key (JWK), JSON Web Key Set (JWKS), and more. The module is designed to work across various Web-interoperable runtimes including Node.js, browsers, Cloudflare Workers, Deno, Bun, and others.
Sponsor
If you want to quickly add JWT authentication to JavaScript apps, feel free to check out Auth0's JavaScript SDK and free plan. Create an Auth0 account; it's free!
💗 Help the project
Support from the community to continue maintaining and improving this module is welcome. If you find the module useful, please consider supporting the project by becoming a sponsor.
Dependencies: 0
jose has no dependencies and it exports tree-shakeable ESM. CJS is also supported.
Documentation
jose is distributed via npmjs.com, deno.land/x, cdnjs.com, jsdelivr.com, and github.com.
example ESM import
1import * as jose from 'jose'
example CJS require
1const jose = require('jose')
JSON Web Tokens (JWT)
The jose module supports JSON Web Tokens (JWT) and provides functionality for signing and verifying tokens, as well as their JWT Claims Set validation.
- JWT Claims Set Validation & Signature Verification using the
jwtVerifyfunction - Signing using the
SignJWTclass - Utility functions
- Decoding Token's Protected Header
- Decoding JWT Claims Set prior to its validation
Encrypted JSON Web Tokens
The jose module supports encrypted JSON Web Tokens and provides functionality for encrypting and decrypting tokens, as well as their JWT Claims Set validation.
- Decryption & JWT Claims Set Validation using the
jwtDecryptfunction - Encryption using the
EncryptJWTclass - Utility functions
Key Utilities
The jose module supports importing, exporting, and generating keys and secrets in various formats, including PEM formats like SPKI, X.509 certificate, and PKCS #8, as well as JSON Web Key (JWK).
- Key Import Functions
- Key and Secret Generation Functions
- Key Export Functions
JSON Web Signature (JWS)
The jose module supports signing and verification of JWS messages with arbitrary payloads in Compact, Flattened JSON, and General JSON serialization syntaxes.
- Signing - Compact, Flattened JSON, General JSON
- Verification - Compact, Flattened JSON, General JSON
- Utility functions
JSON Web Encryption (JWE)
The jose module supports encryption and decryption of JWE messages with arbitrary plaintext in Compact, Flattened JSON, and General JSON serialization syntaxes.
- Encryption - Compact, Flattened JSON, General JSON
- Decryption - Compact, Flattened JSON, General JSON
- Utility functions
Other
The following are additional features and utilities provided by the jose module:
- Calculating JWK Thumbprint
- Calculating JWK Thumbprint URI
- Verification using a JWK Embedded in a JWS Header
- Unsecured JWT
- JOSE Errors
Supported Runtimes
The jose module is compatible with JavaScript runtimes that support the utilized Web API globals and standard built-in objects or are Node.js.
The following runtimes are supported (this is not an exhaustive list):
Please note that certain algorithms may not be available depending on the runtime used. You can find a list of available algorithms for each runtime in the specific issue links provided above.
Supported Versions
| Version | Security Fixes 🔑 | Other Bug Fixes 🐞 | New Features ⭐ |
|---|---|---|---|
| v5.x | ✅ | ✅ | ✅ |
| v4.x | ✅ | ❌ | ❌ |
| v2.x | ✅ | ❌ | ❌ |
Specifications
Details
- JSON Web Signature (JWS) - RFC7515
- JSON Web Encryption (JWE) - RFC7516
- JSON Web Key (JWK) - RFC7517
- JSON Web Algorithms (JWA) - RFC7518
- JSON Web Token (JWT) - RFC7519
- JSON Web Key Thumbprint - RFC7638
- JSON Web Key Thumbprint URI - RFC9278
- JWS Unencoded Payload Option - RFC7797
- CFRG Elliptic Curve ECDH and Signatures - RFC8037
- secp256k1 EC Key curve support - RFC8812
The algorithm implementations in jose have been tested using test vectors from their respective specifications as well as RFC7520.
Stable Version
The latest stable version of the package.
Stable Version
5.9.6
MODERATE
9
MODERATE
5.3/10
Summary
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
Affected Versions
< 2.0.7
Patched Versions
2.0.7
MODERATE
5.3/10
Summary
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext
Affected Versions
>= 3.0.0, <= 4.15.4
Patched Versions
4.15.5
MODERATE
5.3/10
Summary
JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected Versions
>= 4.0.0, <= 4.9.1
Patched Versions
4.9.2
MODERATE
5.3/10
Summary
JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected Versions
>= 3.0.0, <= 3.20.3
Patched Versions
3.20.4
MODERATE
5.3/10
Summary
JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected Versions
>= 2.0.0, <= 2.0.5
Patched Versions
2.0.6
MODERATE
5.3/10
Summary
JOSE vulnerable to resource exhaustion via specifically crafted JWE
Affected Versions
>= 1.0.0, <= 1.28.1
Patched Versions
1.28.2
MODERATE
5.9/10
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose
Affected Versions
>= 3.0.0, < 3.11.4
Patched Versions
3.11.4
MODERATE
5.9/10
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose
Affected Versions
>= 2.0.0, < 2.0.5
Patched Versions
2.0.5
MODERATE
5.9/10
Summary
Padding Oracle Attack due to Observable Timing Discrepancy in jose
Affected Versions
>= 1.0.0, < 1.28.1
Patched Versions
1.28.1
Reason
30 commit(s) and 5 issue activity found in the last 90 days -- score normalized to 10
Reason
no binaries found in the repo
Reason
no dangerous workflow patterns detected
Reason
license file detected
Details
- Info: project has a license file: LICENSE.md:0
- Info: FSF or OSI recognized license: MIT License: LICENSE.md:0
Reason
packaging workflow detected
Details
- Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:11
Reason
0 existing vulnerabilities detected
Reason
SAST tool is not run on all commits -- score normalized to 5
Details
- Warn: 1 commits out of 2 are checked with a SAST tool
Reason
branch protection is not maximal on development and all release branches
Details
- Info: 'allow deletion' disabled on branch 'main'
- Info: 'force pushes' disabled on branch 'main'
- Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'
- Warn: could not determine whether codeowners review is allowed
- Warn: no status checks found to merge onto branch 'main'
- Warn: PRs are not required to make changes on branch 'main'; or we don't have data to detect it.If you think it might be the latter, make sure to run Scorecard with a PAT or use Repo Rules (that are always public) instead of Branch Protection settings
Reason
Found 1/29 approved changesets -- score normalized to 0
Reason
detected GitHub workflow tokens with excessive permissions
Details
- Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:54
- Warn: no topLevel permission defined: .github/workflows/build.yml:1
- Warn: no topLevel permission defined: .github/workflows/lock.yml:1
- Warn: no topLevel permission defined: .github/workflows/release.yml:1
- Warn: no topLevel permission defined: .github/workflows/test.yml:1
Reason
no effort to earn an OpenSSF best practices badge detected
Reason
dependency not pinned by hash detected -- score normalized to 0
Details
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/build.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/build.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:78: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:37: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/release.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:63: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:163: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:171: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:86: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:90: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:99: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:114: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:118: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:125: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:139: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:141: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:148: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:196: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:198: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:210: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:227: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:229: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:235: update your workflow using https://app.stepsecurity.io/secureworkflow/panva/jose/test.yml/main?enable=pin
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:147
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:204
- Warn: npmCommand not pinned by hash: .github/workflows/test.yml:243
- Info: 0 out of 34 GitHub-owned GitHubAction dependencies pinned
- Info: 1 out of 3 third-party GitHubAction dependencies pinned
- Info: 0 out of 3 npmCommand dependencies pinned
Reason
project is not fuzzed
Details
- Warn: no fuzzer integrations found
Reason
security policy file not detected
Details
- Warn: no security policy file detected
- Warn: no security file to analyze
- Warn: no security file to analyze
- Warn: no security file to analyze
Score
5.3
/10
Last Scanned on 2024-11-18
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More