fix: update jws to 4.0.0 to resolve SlowBuffer deprecation

l7aromeo · l7aromeo · commit 814511d4fb56 · 2025-11-01T11:46:31.000+07:00
Dependency chain issue:
- jsonwebtoken → jws 3.2.2 → jwa 1.4.1 → buffer-equal-constant-time
- buffer-equal-constant-time uses SlowBuffer (removed in Node.js 25)
- jwa 1.4.2+ replaced buffer-equal-constant-time with crypto.timingSafeEqual
- jws 4.0.0 includes jwa 2.0.0 which has the fix
diff --git a/package.json b/package.json
@@ -36,7 +36,7 @@
     "url": "https://github.com/auth0/node-jsonwebtoken/issues"
   },
   "dependencies": {
-    "jws": "^3.2.2",
+    "jws": "^4.0.0",
     "lodash.includes": "^4.3.0",
     "lodash.isboolean": "^3.0.3",
     "lodash.isinteger": "^4.0.4",
