panva/jose vs auth0/node-jws, auth0/jwt-decode etc

[webketje]

Hi there,

I recently had to add a JWS detached signature to the product I'm working on. The goal of JOSE by itself is clear, and given that I only needed a fraction of what it provides and the individual jw* libraries are not published as separate NPM packages, I thought I would be better served for my use case using auth0/node-jws (I also like the simplicity of the API having just a few single-word methods).

I am really confused about the status of the auth0/node-jws and auth0/node-jwa repo's and I'm asking it here because panva used to be quite involved in those repo's. This comment by @panva (ok it's 2 years old) says there are no plans to deprecate them, but on the other hand, significant commit activity has stalled since they were transferred by omsmith to auth0 and there haven't been any new releases since 3 years, the code looks like it's miles behind JOSE's (although it works for my use case), and it seems the NPM package name mismatches with the repo (node-jws vs jws).

Can someone shed light/provide context on what happened here?

[panva]

Hello @webketje

I am really confused about the status of the auth0/node-jws and auth0/node-jwa repo's and I'm asking it here because panva used to be quite involved in those repo's.

I cannot say I've been keeping tabs on the activity of the transferred repos. They have been stable long before the transfer and as far as I can remember we merely wanted to avoid disruption and havoc in the jsonwebtoken module's dependency tree (due to its massive popularity and install base) if those repos and the npm modules got formally deprecated.

This comment by @panva (ok it's 2 years old) says there are no plans to deprecate them, but on the other hand, significant commit activity has stalled since they were transferred by omsmith to auth0 and there haven't been any new releases since 3 years

I think that shows stability rather than stillness, other than EdDSA and secp256k1 there have been no additions to the JWS algorithm list so there's really no need to touch these codebases.

it seems the NPM package name mismatches with the repo (node-jws vs jws).

I don't see why repo name should be 1:1 matched to the name of the module. I myself have two repos prefixed with node- whilst the module names go without it.

Can someone shed light/provide context on what happened here?

I hope I did, to some extent.

[webketje]

@panva thank you very much for the swift reply and clear info. Yes it's stable, though a cursory look at the issues and PRs at node-jws shows that there is a lot of room for improvement & enough material to be added for a minor, and perhaps even a major release.

NB: When I mentioned the code looks like it's miles behind I meant the codebase could use modernization (const instead of var, import instead of require, removal of now-obsolete dependencies). I also noticed that its jws.decode method returns null when the JWS is detached.