Update dependency jose to v6

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jose	^5.1.2 → ^6.0.0

---

Release Notes

panva/jose (jose)

v6.2.3

Compare Source

Refactor

• cleanly reject invalid PBES2 p2c (0cdb851)

v6.2.2

Compare Source

Fixes

• reject failed decompression with JWEInvalid error (043b181)

v6.2.1

Compare Source

Refactor

• reorganize internals, less files, smaller footprint (d4231f9)

v6.2.0

Compare Source

Features

• re-introduce JWE "zip" (Compression Algorithm) Header Parameter support (b13b446)

Documentation

• clarify return of general jws and jwe (56682b4)

v6.1.3

Compare Source

Refactor

• avoid export * as for google closure's compiler sake (6303d98), closes #​832

v6.1.2

Compare Source

Refactor

• fallback to checking instanceof for CryptoKey (901cd90), closes #​765 #​803 #​821 #​827 #​828

v6.1.1

Compare Source

Documentation

• add link to RFC9864 (767edde)
• link to ML-DSA for JOSE (ed4252c)
• remove mention of Edge Runtime from the readme (94fdde7)
• update README.md (25098ef)

Refactor

• eliminate named exports in the source code (f6ae30d)
• expose setKeyManagementParameters also on a GeneralEncrypt Recipient (16e6b23)
• faster path for symmetric key checks (a44c2ec)
• improve en/decoding overheads (daee426)

v6.1.0

Compare Source

Features

• support AKP JWKs in calculateJwkThumbprint and calculateJwkThumbprintUri (cf2092a)
• support for the ML-DSA PQC Algorithm Identifiers (25ddce4)

v6.0.13

Compare Source

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

v6.0.12

Compare Source

Documentation

• add known caveats to customFetch (02e1f1e)
• mention the apu/apv parameter names in setKeyManagementParameters (6274d5a)
• update compact setKeyManagementParameters (2f44381)
• use GitHub Flavored Markdown for notes and warnings (f6b4ffc)

Refactor

• createPublicKey is not a constructor (61ded78)
• update asn1.ts helper functions (b2b611c)

v6.0.11

Compare Source

Fixes

• typ checking edge-cases when it contains a slash (/) character (31e4baf)

v6.0.10

Compare Source

Refactor

• removed unused claims methods (74719cf)
• reorganize jwt claim set utils (1f12d88)

v6.0.9

Compare Source

Documentation

• add more symbol document, ignore ts-private fields (8b73687)
• bump typedoc (6163a8b)
• drop cdnjs links in README (a910038)
• drop denoland/x links in README and add jsr (3662b9e)
• fix key export links from docs/README.md (c8edfc2)

Refactor

• always assume structuredClone is present (f7898a9)
• hide internal private fields and drop ProduceJWT inheritance (ab18881)
• less objects when JWE JWT Replicated Header Parameters are used (c763a0e)

v6.0.8

Compare Source

Fixes

• export [customFetch] symbol from the default entrypoint (1615614), closes #​762

v6.0.7

Compare Source

Documentation

• improve generate key/secret and import function descriptions (cd06359)

Fixes

• use [customFetch] when provided to createRemoteJWKSet (35f6509), closes #​760

v6.0.6

Compare Source

Refactor

• move base64url around (e1350ef)

Documentation

• add various exported symbol descriptions (3b8ff71)
• add various exported symbol descriptions (fc4e7da)
• add various exported symbol descriptions (74f02c8)
• update base64url function descriptions (03d72c8)

v6.0.5

Compare Source

Refactor

• types: make JWKParameters.kty compatible with @​types/node and @​types/web (bb6ccfe)

Documentation

• add various exported symbol descriptions (f52c2ff)

v6.0.4

Compare Source

Refactor

• optimize base64 with tc39/proposal-arraybuffer-base64 (8a0da69), closes #​752
• update getSPKI to use crypto.createPublicKey when available (92392a0), closes #​752
• use Double HMAC pattern for AES-CBC tag comparison (f3ba4c7), closes #​752

v6.0.3

Compare Source

Documentation

• remove root module tag so that README.md shows up on jsr.io (ee70698)

v6.0.2

Compare Source

Documentation

• add module tags to all entrypoints (a5687aa)

v6.0.1

Compare Source

Refactor

• more readability in ecdhes.ts (84da9de)
• update asn1.ts helpers (b4f8fb3)

v6.0.0

Compare Source

⚠ BREAKING CHANGES

• The PEMImportOptions type interface is renamed to KeyImportOptions.
• all builds and bundles now use ES2022 as target
• createRemoteJWKSet now uses fetch, because of that its Node.js only options.agent property has been removed and new fetch-related options were added
• drop support for Ed448 and X448
• drop support for JWK key_ops and CryptoKey usages "(un)wrapKey" and "deriveKey"
• resolved keys returned as part of verify/decrypt operations (when get key functions are used) are always normalized to either Uint8Array / CryptoKey depending on what's more efficient for the executed operation
• Key "Type" Generics are removed
• CJS-style require is now only possible when require(esm) support is present in the Node.js runtime
• private KeyObject instances can no longer be used for verify operations
• private KeyObject instances can no longer be used for encryption operations
• generateSecret, generateKeyPair, importPKCS8, importSPKI, importJWK, and importX509 now yield a CryptoKey instead of a KeyObject in Node.js
• drop support for Node.js 18.x and earlier
• runtime-specific npm releases (jose-browser-runtime, jose-node-cjs-runtime, and jose-node-esm-runtime) are no longer maintained or supported
• removed secp256k1 JWS support
• removed deprecated experimental APIs
• removed RSA1_5 JWE support

Features

• enable CryptoKey and KeyObject inputs in JWK thumbprint functions (6fc9c44)
• JSON Web Key is now an allowed input everywhere (ebda967)

Refactor

• always use infered CryptoKey (c4abaa2)
• backport the Ed25519 JWS Algorithm Identifier support (7a94cb9)
• drop support for Ed448 and X448 (2fae1c4)
• drop support for JWK key_ops and CryptoKey usages "(un)wrapKey" and "deriveKey" (ef918be)
• ensure export functions continue to work with KeyObject inputs (28e9e68)
• hardcode the cryptoRuntime export since it is now always WebCryptoAPI (e00f273)
• JWK import extractable default for public keys is now true (64dcebe)
• PEM import extractable default for public keys is now true (4e9f114)
• removed deprecated APIs (5352083)
• removed secp256k1 JWS support (e2b58a5)
• restructure src/lib and src/runtime now that runtime is fixed (9b236ce)
• target is now ES2022 everywhere (aa590d5)
• update importJWK args to align with other import functions (355a2dd)
• WebCryptoAPI is now the only crypto used (161de46)

v5.10.0

Compare Source

Features

• support fully specified Ed25519 algorithm identifier (c39f57d)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1b3c03a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[devin-ai-integration]

Devin Review found 1 potential issue.

View 3 additional findings in Devin Review.

[devin-ai-integration]

🔴 Package engines field claims Node.js >=18 but jose v6 drops Node.js 18 support and breaks CJS on Node <22

Updating jose to ^6.0.0 without updating the engines field creates a compatibility mismatch. The package declares "node": ">=18" but jose v6 explicitly drops support for Node.js 18.x and earlier. More critically, jose v6 states: "CJS-style require is now only possible when require(esm) support is present in the Node.js runtime" (require(esm) was added in Node.js 22).

Impact on CJS consumers

The package exports a CJS entry point at packages/livekit-server-sdk/package.json:24 ("default": "./dist/index.cjs"). Since jose is a runtime dependency (not bundled), the CJS build will attempt to require('jose') at runtime. On Node.js versions 18–21, this will fail because jose v6 ships only ESM and those runtimes do not support require(esm). Users on Node.js 18 or 20 (both current LTS lines) who consume livekit-server-sdk via require() will get a runtime error.

The engines field at line 65 should be updated to reflect the actual minimum Node.js version required by the dependency graph (at minimum >=20, or >=22 if CJS support is needed).

Prompt for agents

Update the engines field in packages/livekit-server-sdk/package.json (currently at line 65: "node": ">=18") to reflect the minimum Node.js version required by jose v6. At minimum, change it to "node": ">=20" (jose v6 drops Node 18 support). If CJS consumers need to be supported, change it to "node": ">=22" since jose v6's CJS-style require only works with Node.js require(esm) support (added in Node 22). Alternatively, consider configuring tsup to bundle jose into the CJS output so CJS consumers on older Node.js versions are not affected.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

Devin Review found 1 new potential issue.

🐛 1 issue in files not directly in the diff

🐛 setNotBefore(new Date()) is incompatible with jose v6 which removed Date parameter support (packages/livekit-server-sdk/src/AccessToken.ts:206)

jose v6 removed support for Date instances in setNotBefore(), setExpirationTime(), and setIssuedAt() — these methods now only accept number | string. The call at AccessToken.ts:206 passes new Date(), which is no longer a valid argument after this version bump. This will cause a type error at build time and incorrect behavior at runtime if type checks are bypassed (a Date object would be coerced to its string representation rather than being treated as an epoch timestamp).

View 8 additional findings in Devin Review.

[devin-ai-integration]

Devin Review found 5 new potential issues.

[devin-ai-integration]

🚩 No code changes accompany the major version bump

This PR bumps jose from v5 to v6 (a major version) but includes zero code changes. Major version bumps typically include breaking changes. While the existing tests may pass if all used APIs remain compatible, the lack of any accompanying code changes warrants careful review of the jose v6 migration guide to ensure no behavioral changes affect JWT generation or verification.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 CJS export path may break on Node.js < 22 with jose v6

The package declares a CJS export at dist/index.cjs (line 24). jose v6 explicitly states that CJS-style require only works when require(esm) support is present in the Node.js runtime, which was introduced in Node.js 22. If tsup does NOT bundle jose into the CJS output (which is the default behavior for packages listed in dependencies), then CJS consumers on Node.js 18–21 will get a runtime error when the generated require('jose') call fails. This should be verified by checking the tsup configuration (tsup.config.ts or the tsup field in package.json) to see if noExternal: ['jose'] or similar bundling configuration is in place.

(Refers to lines 22-25)

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 No changeset included for the jose major version bump

The three .changeset/*.md files in this PR are all for @livekit/rtc-node (patch-level changes). There is no changeset entry for livekit-server-sdk despite bumping a major dependency (jose v5→v6). While this doesn't cause a runtime bug, it means this dependency change won't be reflected in the changelog or trigger a version bump for livekit-server-sdk. If jose v6 is considered a meaningful change for downstream consumers (e.g., due to transitive dependency resolution or peer dependency constraints), a changeset should be added.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🟡 clockTolerance parameter type allows string but jose v6 only accepts number

In jose v6, the clockTolerance option in jwtVerify only accepts a number (seconds), not a string. However, TokenVerifier.verify() at AccessToken.ts:228 declares clockTolerance: string | number, which allows callers to pass a string (e.g., '10s'). While the default value (defaultClockToleranceSeconds = 10) is a number and won't cause issues for default usage, any caller that passes a string will get a runtime error from jose v6.

Prompt for agents

In packages/livekit-server-sdk/src/AccessToken.ts line 228, change the clockTolerance parameter type from 'string | number' to just 'number' to match jose v6's API. The current signature is:

  async verify(token: string, clockTolerance: string | number = defaultClockToleranceSeconds): Promise<ClaimGrants>

It should become:

  async verify(token: string, clockTolerance: number = defaultClockToleranceSeconds): Promise<ClaimGrants>

Note: this is a public API change for the SDK, so callers passing strings will need to be updated. This is a breaking change in the SDK's own API surface.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[devin-ai-integration]

🚩 engines field claims Node.js 18 support but jose v6 drops it

The engines field at packages/livekit-server-sdk/package.json:65 specifies "node": ">=18", but jose v6's release notes explicitly state "drop support for Node.js 18.x and earlier." While Node.js 18 reached EOL in April 2025, the SDK still advertises support. The engines field should likely be updated to >=20 to match the actual minimum supported runtime. This is a documentation/configuration concern rather than a code bug — actual runtime failures depend on which Node.js 18 features jose v6 relies on (e.g., WebCryptoAPI completeness).

---

Was this helpful? React with 👍 or 👎 to provide feedback.