Upgrade jwks-rsa to ESM and jose from 4.15.4 to 6.1.0

[yisyang]

By submitting a PR to this repository, you agree to the terms within the Auth0 Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.

Description

This PR upgrades jose dependency from 4.15.4 to 6.1.0 in order to resolve a high score CVE CVE-2025-45767

Resolves #443

Note changes will require later version of Node.js.

As mentioned by lotmek quoting jose specifications, it is now possible to import ESM packages from CommonJS using require(esm) by default in the latest Node.js versions:

^20.19.0
^22.12.0
>= 23.0.0

References

jwks-rsa has high score vulnerability from jose dependency #443

Testing

• This change adds test coverage for new/changed/fixed functionality
• Manual testing in live environment that uses Next.js that integrates against browser SPA OAuth flow (PKCE + jwks URI).

Checklist

• I have added documentation for new/changed functionality in this PR or in auth0.com/docs
• All active GitHub checks for tests, formatting, and security are passing
• The correct base branch is being used, if not the default branch

Important Notes

• jwks-rsa converted to ESM, a new build process is added (by rollup package) to release packaged dist/index.js
• downstream Jest test will needs custom mock to work (see README > Known Issues)

[yisyang]

Results:

• jwks-rsa converted to ESM
• jose upgraded to 6.1.0
• All tests passing
• Downstream NestJS app launches, login works
• Downstream Jest test needs custom mock to work (see README > Known Issues)

[radioflyer-sbs]

Is there any movement on this? We're literally waiting on this PR to go through to resolve our vulnerability issue. If this isn't going somewhere, we'll have to look for other means.

[yisyang]

@stevenwong-okta @auth0/project-dx-sdks-engineer-codeowner

[tylor-metrics]

Watching for this change to hit as well.