Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency jose to v4 #1016

Merged
merged 2 commits into from
Dec 16, 2021
Merged

fix(deps): update dependency jose to v4 #1016

merged 2 commits into from
Dec 16, 2021

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Oct 21, 2021
edited
Loading

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
jose ^3.11.6 -> ^4.0.0 age adoption passing confidence

Release Notes

panva/jose

v4.3.7

Compare Source

Fixes
  • typescript: b64: true is fine to use in JWT, its useless, but allowed (#​324) (ee401c9)

v4.3.6

Compare Source

Fixes
  • electron: rsa-pss keys are never supported (188c1f7)

v4.3.5

Compare Source

Fixes

v4.3.4

Compare Source

Fixes
  • Compact JWS verification handles a zero-length payload string (7c70e7b)

v4.3.3

Compare Source

Fixes
  • typescript: apply updated compact and jwt headers to compact/jwt verify and decrypt results (0c1946c)

v4.3.2

Compare Source

Fixes
  • createRemoteJWKSet handles all JWS syntaxes (aaba8f3)
  • typescript: Compact JWS Header Parameters has alg and enc as required (0fa87af)
  • typescript: Compact JWS Header Parameters has alg as required (c7fabd0)
  • typescript: Signed JWT Header Parameters has alg as required and b64 as never (79cbd82)

v4.3.0

Compare Source

Features
  • add GeneralSign signature and GeneralEncrypt recipient builder chaining (cfc93f5)

v4.2.1

Compare Source

Fixes
  • node: dont mention CryptoKey in versions without webcrypto (401cabf)

v4.2.0

Compare Source

Features

v4.1.5

Compare Source

Fixes
  • importX509 certificate values that do not include a version number (51a18b6), closes #​308

v4.1.4

Compare Source

Fixes
  • allow shorter HMAC secrets (57126f1)

v4.1.3

Compare Source

Fixes
  • edge-functions: don't use globalThis (3952030)

v4.1.2

Compare Source

Fixes
  • build: ensure cjs/esm specific packages have the right main entry (2f4526a)

v4.1.1

Compare Source

Fixes
  • typescript: work around potentially missing global URL from DOM lib (7ed731c), closes #​295

v4.1.0

Compare Source

Features
  • web: publish umd and bundle files to cdnjs.com (3b3100a)

v4.0.4

Compare Source

Fixes
  • web: check Uint8Array CEK lengths, refactor for better tree-shaking (e8299f2)

v4.0.3

Compare Source

Fixes
  • web: checking cryptokey applicability early (89dc2aa)

v4.0.2

Compare Source

Fixes

v4.0.1

Compare Source

Fixes
  • typescript: re-export all types from index.d.ts (d68f104)

v4.0.0

Compare Source

⚠ BREAKING CHANGES
  • All module named exports have moved from subpaths to
    just "jose". For example, import { jwtVerify } from 'jose/jwt/verify'
    is now just import { jwtVerify } from 'jose'.
  • All submodule default exports and named have been
    removed in favour of just "jose" named exports.
  • typescript: remove repeated type re-exports
  • The undocumented jose/util/random was removed.
  • The jose/jwk/thumbprint named export
    is renamed to calculateJwkThumbprint, now
    import { calculateJwkThumbprint } from 'jose'
  • The deprecated jose/jwk/parse module was
    removed, use import { importJWK } from 'jose' instead.
  • The deprecated jose/jwk/from_key_like module was
    removed, use import { exportJWK } from 'jose' instead.
Refactor
  • redo exports to support broader tooling (dd2cf9e)
  • remove util/random (914e47f)
  • removed the deprecated jwk/from_key_like module (ec1d0e7)
  • removed the deprecated jwk/parse module (8d3cc3b)
  • rename calculateThumprint to calculateJwkThumbprint (5afb713)
  • typescript: remove repeated type re-exports (3e137d2)

v3.20.3

Compare Source

Fixes
  • remove clutter when tree shaking browser dist (73ba370)
  • typescript: JWTExpired error TS2417 (373e0e4)

v3.20.2

Compare Source

Fixes
  • allow tree-shaking of errors (0824301)

v3.20.1

Compare Source

Fixes
  • typescript: PEM import functions always resolve a KeyLike, never a Uint8Array (8ef3a8e)

v3.20.0

Compare Source

Features
Fixes
  • proper createRemoteJWKSet timeoutDuration handling (efa1619), closes #​277

v3.19.0

Compare Source

Features
  • return resolved key when verify and decrypt resolve functions are used (49fb62c)

v3.18.0

Compare Source

Features
  • add X.509/SPKI/PKCS8 key import and SPKI/PKCS8 export functions (a2af0f4)

Configuration

📅 Schedule: "before 7am every weekday" in timezone Europe/Brussels.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by WhiteSource Renovate. View repository job log here.

@joachimvh
Copy link
Member

I tried updating to this version, but there seems to be a problem with the keys being generated in this version. The entire OIDC process still works, but when trying to authenticate with the generated access token, the access-token-verifier library errors:

BadRequestHttpError: Error verifying WebID via DPoP-bound access token: (0 , remote_1.default) is not a function
  at DPoPWebIdExtractor.handle (C:\projects\solid\community-server\src\authentication\DPoPWebIdExtractor.ts:61:13)
  at runMicrotasks (<anonymous>)
  at processTicksAndRejections (node:internal/process/task_queues:96:5)
  at async Promise.all (index 0)
  at UnionCredentialsExtractor.handleSafe (C:\projects\solid\community-server\src\util\handlers\UnionHandler.ts:68:21)
  at AuthorizingHttpHandler.handle (C:\projects\solid\community-server\src\server\AuthorizingHttpHandler.ts:63:40)
  at ParsingHttpHandler.handle (C:\projects\solid\community-server\src\server\ParsingHttpHandler.ts:66:16)
  at SequenceHandler.handle (C:\projects\solid\community-server\src\util\handlers\SequenceHandler.ts:27:18)
  at Server.<anonymous> (C:\projects\solid\community-server\src\server\BaseHttpServerFactory.ts:67:11)"}

The actual keys being generated look the same, as in, they generate objects with the same keys. My cryptographical knowledge is not enough to say anything about the values.

Note for future attempts: the fromKeyLike function got replaced with exportJWK in this version.

@RubenVerborgh
Copy link
Member

@joachimvh I just verified that CommunitySolidServer/access-token-verifier#18 works; perhaps things improve if that one is upgraded?

@joachimvh
Copy link
Member

@joachimvh I just verified that solid/access-token-verifier#18 works; perhaps things improve if that one is upgraded?

That does indeed fix it

@joachimvh joachimvh merged commit a90687d into main Dec 16, 2021
@joachimvh joachimvh deleted the renovate/jose-4.x branch December 16, 2021 10:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joachimvh joachimvh joachimvh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@joachimvh @RubenVerborgh @renovate-bot