Skip to content

fix: update jws to 4.0.0 to resolve SlowBuffer deprecation#1001

Open
l7aromeo wants to merge 2 commits intoauth0:masterfrom
l7aromeo:master
Open

fix: update jws to 4.0.0 to resolve SlowBuffer deprecation#1001
l7aromeo wants to merge 2 commits intoauth0:masterfrom
l7aromeo:master

Conversation

@l7aromeo
Copy link

@l7aromeo l7aromeo commented Nov 1, 2025
edited
Loading

Description

This PR updates the jws dependency from 3.2.2 to 4.0.0 to resolve compatibility issues with Node.js 25+, where the SlowBuffer constructor has been removed.

Problem:
The current dependency chain includes an outdated version of jwa (1.4.1) that depends on buffer-equal-constant-time, which uses the deprecated SlowBuffer API. This causes the library to crash on Node.js 25 with the error:

TypeError: Cannot read properties of undefined (reading 'prototype')

Solution:
Updating jws to 4.0.0 brings in jwa 2.0.0, which replaced buffer-equal-constant-time with Node.js's native crypto.timingSafeEqual() method (introduced in jwa 1.4.2).

Dependency chain:

  • Before: jsonwebtoken → jws 3.2.2 → jwa 1.4.1 → buffer-equal-constant-time (uses SlowBuffer ❌)
  • After: jsonwebtoken → jws 4.0.0 → jwa 2.0.0 → crypto.timingSafeEqual (native, no SlowBuffer ✅)

Compatibility:

  • ✅ Node.js 25+ (SlowBuffer removed)
  • ✅ Node.js 22 LTS
  • ✅ Node.js 20 LTS
  • ✅ Node.js 18 LTS

This is a non-breaking change as jws 4.0.0 maintains API compatibility with 3.x.

References

Testing

Manual Testing:

  • Tested on Node.js 25.0.0 - library loads and functions correctly ✅
  • Tested on Node.js 22.12.0 (LTS) - backward compatibility confirmed ✅
  • Tested on Node.js 20.18.1 (LTS) - backward compatibility confirmed ✅

Test Commands:

# Install and verify
npm install
npm test

# Verify JWT operations work
node -e "const jwt = require('./'); const token = jwt.sign({foo: 'bar'}, 'secret'); console.log(jwt.verify(token, 'secret'));"

Environment:

  • Node.js: 25.0.0, 22.12.0, 20.18.1
  • npm: 10.x/11.x
  • OS: macOS 26.1

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
    • No documentation changes needed - this is an internal dependency update with no API changes
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not the default branch

@l7aromeo
fix: update jws to 4.0.0 to resolve SlowBuffer deprecation
814511d 
Dependency chain issue:
- jsonwebtoken → jws 3.2.2 → jwa 1.4.1 → buffer-equal-constant-time
- buffer-equal-constant-time uses SlowBuffer (removed in Node.js 25)
- jwa 1.4.2+ replaced buffer-equal-constant-time with crypto.timingSafeEqual
- jws 4.0.0 includes jwa 2.0.0 which has the fix
@zaosoula
Copy link

zaosoula commented Nov 18, 2025

+1

@jakub-g
Copy link

jakub-g commented Nov 28, 2025
edited
Loading

Just to rephrase: Node.js doesn't deprecate SlowBuffer, it completely removes it, meaning apps on Node 25 will crash.

It would be good to have a look at this PR, given how slow deps updates flow through the ecosystem, and given that jsonwebtoken has over 34,000 dependends in npm. It's quite important for the entire ecosystem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@ork-acro ork-acro ork-acro approved these changes

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@l7aromeo @zaosoula @jakub-g @ork-acro