fix: upgrade jose from v4 to v5 to fix pnpm trust policy install failure#1362
Merged
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #1362 +/- ##
========================================
Coverage 89.62% 89.62%
========================================
Files 428 428
Lines 19886 19886
Branches 9757 9400 -357
========================================
Hits 17823 17823
Misses 2063 2063
Flags with carried forward coverage won't be shown. Click here to find out more. 🚀 New features to boost your workflow:
|
harshithRai
approved these changes
Jul 6, 2026
amitsingh05667
approved these changes
Jul 7, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
Upgrades
josedependency from^4.13.2to^5.0.0(resolves to5.10.0).Why this is important:
jose@4.xwas published before npm provenance attestation existed and has no provenance signature.jose@5+ships with provenance, which means pnpm users withtrustPolicy: "no-downgrade"were completely blocked from installing thispackage with the error:
[ERR_PNPM_TRUST_DOWNGRADE] High-risk trust downgrade for "jose@4.15.9" (possible package takeover)
Compatibility - no breaking changes for this SDK:
All jose APIs used internally (
createRemoteJWKSet,jwtVerify,decodeProtectedHeader,decodeJwt,importPKCS8,SignJWT,base64url.encode) are available in v5 with identical signatures.No code changes were required alongside the version bump.
References
pnpmwhen settingtrustPolicyto"no-downgrade"due to oldjosedependency version #1344Testing
All 1643 existing tests pass with no changes (
jest --config jest.config.mjs)To reproduce the original issue before this fix: create a pnpm project, set
trustPolicy: "no-downgrade"inpnpm-workspace.yaml, and runpnpm install auth0@<previous version>- it will fail with the trust downgrade error. With this fix, installation succeeds.This change adds unit test coverage
This change adds integration test coverage
Checklist