You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Author of jose12 here, over the last couple of months to a year I'm tracking an increased number of Stack Overflow questions, github tickets and discussions across numerous runtimes, buzz in general, about firebase-admin "not working on X" (Deno, CF Workers, Bun, you name it).
As these runtimes struggle to properly emulate the node:crypto module the use of the Node.js-only jsonwebtoken module is often the breaking point for some users.
So, if there was appetite for it from the maintainers of firebase-admin, I'd give replacing jsonwebtoken with jose, which works universally34 in all the different runtimes, whilst utilizing the given runtime's native crypto, a shot.
From the looks of it it would appear jose could replace 3 direct dependencies (jsonwebtoken, jwks-rsa, and node-forge), the resulting transitive dependencies as well of course, all the while having 0 dependencies itself.
I'm probing for interest first before spending the effort as well as to get a buy in because the replacement might require the bump of package.json engines entry from 14 to 18 if the latest (v5.x) version of jose is to be used. v4.x does support 14 but it would only receive future security fixes, not bug fixes. I don't think using 4.x should be a blocker as the functions firebase-admin requires are really stable. The change might also require to update the signature of some of the function's to be promise-based which may or may not lead to a breaking change and in so a major version bump.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello 👋
Author of
jose
12 here, over the last couple of months to a year I'm tracking an increased number of Stack Overflow questions, github tickets and discussions across numerous runtimes, buzz in general, about firebase-admin "not working on X" (Deno, CF Workers, Bun, you name it).As these runtimes struggle to properly emulate the
node:crypto
module the use of the Node.js-onlyjsonwebtoken
module is often the breaking point for some users.So, if there was appetite for it from the maintainers of
firebase-admin
, I'd give replacingjsonwebtoken
withjose
, which works universally34 in all the different runtimes, whilst utilizing the given runtime's native crypto, a shot.From the looks of it it would appear
jose
could replace 3 direct dependencies (jsonwebtoken
,jwks-rsa
, andnode-forge
), the resulting transitive dependencies as well of course, all the while having 0 dependencies itself.I'm probing for interest first before spending the effort as well as to get a buy in because the replacement might require the bump of package.json
engines
entry from 14 to 18 if the latest (v5.x) version ofjose
is to be used. v4.x does support 14 but it would only receive future security fixes, not bug fixes. I don't think using 4.x should be a blocker as the functionsfirebase-admin
requires are really stable. The change might also require to update the signature of some of the function's to be promise-based which may or may not lead to a breaking change and in so a major version bump.Footnotes
https://github.com/panva/jose#readme ↩
https://www.npmjs.com/package/jose ↩
https://github.com/panva/jose#supported-runtimes ↩
https://github.com/panva/jose/actions/runs/7610320072 ↩
Beta Was this translation helpful? Give feedback.
All reactions