chore: upgrade minimum Node.js runtime to 20.19.0#485
Conversation
![semgrepcode-auth0[bot]](https://avatars.githubusercontent.com/in/977730?s=60&v=4){kind=small}
| @@ -2127,13 +2311,15 @@ | |||
| "version": "1.0.0", | |||
| "resolved": "https://registry.npmjs.org/express-unless/-/express-unless-1.0.0.tgz", | |||
| "integrity": "sha512-zXSSClWBPfcSYjg0hcQNompkFN/MxQQ53eyrzm9BYgik2ut2I7PxAf2foVqBRMYCwWaZx/aWodi+uk76npdSAw==", | |||
| "dev": true | |||
| "dev": true, | |||
| "license": "MIT" | |||
| }, | |||
| "node_modules/express-jwt-v6/node_modules/jsonwebtoken": { | |||
There was a problem hiding this comment.
Medium severity vulnerability may affect your project—review required:
Line 2317 lists a dependency (jsonwebtoken) with a known Medium severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.
To resolve this comment:
Check if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function..
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
There was a problem hiding this comment.
/other only used in specs
cschetan77
changed the title
| @@ -2127,13 +2311,15 @@ | |||
| "version": "1.0.0", | |||
| "resolved": "https://registry.npmjs.org/express-unless/-/express-unless-1.0.0.tgz", | |||
| "integrity": "sha512-zXSSClWBPfcSYjg0hcQNompkFN/MxQQ53eyrzm9BYgik2ut2I7PxAf2foVqBRMYCwWaZx/aWodi+uk76npdSAw==", | |||
| "dev": true | |||
| "dev": true, | |||
| "license": "MIT" | |||
| }, | |||
| "node_modules/express-jwt-v6/node_modules/jsonwebtoken": { | |||
There was a problem hiding this comment.
High severity vulnerability may affect your project—review required:
Line 2317 lists a dependency (jsonwebtoken) with a known High severity vulnerability.
ℹ️ Why this matters
Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.
To resolve this comment:
Check if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm.
- If you're affected, upgrade this dependency to at least version 9.0.0 at package-lock.json.
- If you're not affected, comment
/fp we don't use this [condition]
💬 Ignore this finding
To ignore this, reply with:
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
You can view more details on this finding in the Semgrep AppSec Platform here.
There was a problem hiding this comment.
/other only used in specs
cschetan77
changed the title
cschetan77
changed the title
.github/workflows/matrix.json
Outdated
| { "node": "23.0.0" }, | ||
| { "node": "22.12.0" }, | ||
| { "node": "20.19.0" } |
There was a problem hiding this comment.
Would this always run with these specific versions? Shouldnt we use the latest of all ?
There was a problem hiding this comment.
Also, I would recommend include 24 in the matrix, and not 23.
There was a problem hiding this comment.
Yes, the gh actions should always run against these specific versions.
I was thinking of keeping just one (latest of all).
But then, the build matrix was already configured and testing for 14, 16 and 18. So, I thought, there does not seem to be any harm to test against minimum node versions that we kept in package.json.
Also, I would recommend include 24 in the matrix, and not 23.
Yes, that makes sense, will update it.
There was a problem hiding this comment.
Why should it run against those versions specifically, and not the latest of 20, the latest of 22 and the latest of 24?
There was a problem hiding this comment.
Yes, I agree, it should run against latest of 20, 22 and 24.
Reason, I kept them this specific, I was in bit of a doubt with setup-node behavior, if I mention say 20.x, whether it installs the latest ver.
But let me confirm and update these versions to use their latest.
| "types": "index.d.ts", | ||
| "engines": { | ||
| "node": ">=14" | ||
| "node": "^20.19.0 || ^22.12.0 || >= 23.0.0" |
There was a problem hiding this comment.
Should we document this as a breaking change ?
We documented earlier like this https://github.com/auth0/node-jwks-rsa/blob/master/CHANGELOG.md?plain=1#L57
There was a problem hiding this comment.
Yes, this is a breaking change and should be added to changelog.
Thinking of adding it while raising Release 4.0.0 PR
There was a problem hiding this comment.
You can add it in the PR description for now.
.github/workflows/test.yml
Outdated
|
|
||
| # only upload coverage on one node version | ||
| - if: matrix.node == 18 | ||
| - if: matrix.node == 20 |
There was a problem hiding this comment.
We have ^24.0.0, ^22.12.0, ^20.19.0 in https://github.com/auth0/node-jwks-rsa/blob/e7385b9112f50bf90a5715b12c7f57e1f4e42727/.github/workflows/matrix.json.
Does this condition ever pass if: matrix.node == 20 ?
There was a problem hiding this comment.
Thanks for pointing it out, missed to update the condition in previous commit.
Updated, the step now runs for `^20.x.x^
3 participants
🛠️ Changes
^20.19.0 || ^22.12.0 || >= 23.0.020.19.0,22.12.0and23.📋 Motivation
This change is driven by the need to modernize our dependency tree and ensure long-term support for the SDK.
Several critical dependencies, including
joseandlru-memoizer, are currently pinned to legacy versions ([email protected]and[email protected]).The ESM Challenge: Modern versions of these packages (e.g., [email protected]) have transitioned to ESM-only and can't be require() ed directly.
The Solution: Node.js recently introduced stable support for require()-ing synchronous ESM modules (unflagged in v20.19.0, v22.12.0, and v23.0.0). By raising our minimum version to v20.19.0, we can finally upgrade these dependencies while maintaining a CommonJS (CJS) interface for our SDK users without complex build workarounds.
Node.js 14, 16, and 18 have all reached End-of-Life (EOL).
Continuing support for these versions prevents us from adopting modern security patches and performance improvements available in newer runtime engines.
Removing these legacy runtimes reduces our maintenance overhead and ensures that our users are running the SDK on a secure, supported platform.
Minimum Node.js Version: Requires Node.js >= 20.19.0.
References
Testing