You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Author of jose12 here, over the last couple of months to a year I'm tracking an increased number of Stack Overflow questions, github tickets and discussions across numerous runtimes, buzz in general, about firebase-admin "not working on X" (Deno, CF Workers, Bun, you name it).
As these runtimes struggle to properly emulate the node:crypto module the use of the Node.js-only jsonwebtoken module is often the breaking point for some users.
So, if there was appetite for it from the maintainers of firebase-admin, I'd give replacing jsonwebtoken with jose, which works universally34 in all the different runtimes, whilst utilizing the given runtime's native crypto, a shot.
From the looks of it it would appear jose could replace 3 direct dependencies (jsonwebtoken, jwks-rsa, and node-forge), the resulting transitive dependencies as well of course, all the while having 0 dependencies itself.
I'm probing for interest first before spending the effort as well as to get a buy in because the replacement might require the bump of package.json engines entry from 14 to 18 if the latest (v5.x) version of jose is to be used. v4.x does support 14 but it would only receive future security fixes, not bug fixes. I don't think using 4.x should be a blocker as the functions firebase-admin requires are really stable. The change might also require to update the signature of some of the function's to be promise-based which may or may not lead to a breaking change and in so a major version bump.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hello 👋
Author of
jose12 here, over the last couple of months to a year I'm tracking an increased number of Stack Overflow questions, github tickets and discussions across numerous runtimes, buzz in general, about firebase-admin "not working on X" (Deno, CF Workers, Bun, you name it).As these runtimes struggle to properly emulate the
node:cryptomodule the use of the Node.js-onlyjsonwebtokenmodule is often the breaking point for some users.So, if there was appetite for it from the maintainers of
firebase-admin, I'd give replacingjsonwebtokenwithjose, which works universally34 in all the different runtimes, whilst utilizing the given runtime's native crypto, a shot.From the looks of it it would appear
josecould replace 3 direct dependencies (jsonwebtoken,jwks-rsa, andnode-forge), the resulting transitive dependencies as well of course, all the while having 0 dependencies itself.I'm probing for interest first before spending the effort as well as to get a buy in because the replacement might require the bump of package.json
enginesentry from 14 to 18 if the latest (v5.x) version ofjoseis to be used. v4.x does support 14 but it would only receive future security fixes, not bug fixes. I don't think using 4.x should be a blocker as the functionsfirebase-adminrequires are really stable. The change might also require to update the signature of some of the function's to be promise-based which may or may not lead to a breaking change and in so a major version bump.Footnotes
https://github.com/panva/jose#readme ↩
https://www.npmjs.com/package/jose ↩
https://github.com/panva/jose#supported-runtimes ↩
https://github.com/panva/jose/actions/runs/7610320072 ↩
Beta Was this translation helpful? Give feedback.
All reactions