Skip to content

fix: upgrade jose from v4 to v5 to fix pnpm trust policy install failure#1362

Merged
ankita10119 merged 1 commit into
masterfrom
DXCDT-1980
Jul 7, 2026
Merged

fix: upgrade jose from v4 to v5 to fix pnpm trust policy install failure#1362
ankita10119 merged 1 commit into
masterfrom
DXCDT-1980

Conversation

@ankita10119

@ankita10119 ankita10119 commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

Changes

Upgrades jose dependency from ^4.13.2 to ^5.0.0 (resolves to 5.10.0).

Why this is important:
jose@4.x was published before npm provenance attestation existed and has no provenance signature. jose@5+ ships with provenance, which means pnpm users with trustPolicy: "no-downgrade" were completely blocked from installing this
package with the error:

[ERR_PNPM_TRUST_DOWNGRADE] High-risk trust downgrade for "jose@4.15.9" (possible package takeover)

Compatibility - no breaking changes for this SDK:

All jose APIs used internally (createRemoteJWKSet, jwtVerify, decodeProtectedHeader, decodeJwt, importPKCS8, SignJWT, base64url.encode) are available in v5 with identical signatures.

No code changes were required alongside the version bump.

References

Testing

  • All 1643 existing tests pass with no changes (jest --config jest.config.mjs)

  • To reproduce the original issue before this fix: create a pnpm project, set trustPolicy: "no-downgrade" in pnpm-workspace.yaml, and run pnpm install auth0@<previous version> - it will fail with the trust downgrade error. With this fix, installation succeeds.

  • This change adds unit test coverage

  • This change adds integration test coverage

Checklist

@ankita10119 ankita10119 requested a review from a team as a code owner July 5, 2026 17:47
@ankita10119 ankita10119 marked this pull request as draft July 5, 2026 17:47
@codecov

codecov Bot commented Jul 5, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.62%. Comparing base (df54749) to head (0984c76).

Additional details and impacted files

Impacted file tree graph

@@           Coverage Diff            @@
##           master    #1362    +/-   ##
========================================
  Coverage   89.62%   89.62%            
========================================
  Files         428      428            
  Lines       19886    19886            
  Branches     9757     9400   -357     
========================================
  Hits        17823    17823            
  Misses       2063     2063            
Flag Coverage Δ
alltests 89.62% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@ankita10119 ankita10119 marked this pull request as ready for review July 6, 2026 08:47
@ankita10119 ankita10119 merged commit 57ae86c into master Jul 7, 2026
10 checks passed
@ankita10119 ankita10119 deleted the DXCDT-1980 branch July 7, 2026 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

installation fails with pnpm when setting trustPolicy to "no-downgrade" due to old jose dependency version

3 participants