jwks-rsa No license 8 versions

jwks-rsa

npm Repository Homepage

8

Versions

—

License

No

Install Scripts

Verified

Provenance

Supply chain provenance

Status for the latest visible version.

SLSA provenance attestation npm registry signatures gitHead linked

Maintainers

auth0-ossauth0npmauth0brokkrjesseleoktajeffoktajeffbsmith-auth0sanjay.manikandhanjosecarlos-chavez_atkosgarcia-atkoroger.chanmaaantonelewisbyrne-oktatarunpreet.kaursandrinodimattiacocojoe

Keywords

jwksrsajwt

Accepted risks

Findings the reviewer chose to accept rather than block on.

Source	Rule	Reason	Accepted by	When
phantom-deps	phantom-dep:@types/express	AI (phantom-deps): TypeScript type definitions loaded by convention; standard pattern for @types packages in framework integrations.	ai	2026/04/24
dependencies	unvetted-dep:jose	AI (dependencies): jose is a well-known, widely-used JWT/JWK library by Panva; its use in jwks-rsa is expected and appropriate for this package's purpose.	ai	2026/04/24
phantom-deps	phantom-dep:@types/jsonwebtoken	AI (phantom-deps): @types/jsonwebtoken is a TypeScript types package declared as a runtime dep for consumers' type inference; no runtime code, stable false positive for this package.	ai	2026/04/24

Versions (showing 8 of 8)

Version	Deps	Published
4.0.1	5 / 26	2026-03-02
4.0.0	5 / 26	2026-02-27
3.2.2	5 / 26	2026-01-23
3.2.1	5 / 26	2026-01-16
3.2.0	6 / 25	2025-03-18
3.1.0	6 / 25	2023-10-05
3.0.1	6 / 24	2023-01-12
3.0.0	6 / 24	2022-11-01

v4.0.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v4.0.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.2

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.1

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.2.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.1.0

1 finding

INFO Has SLSA provenance attestation provenance

Published via CI/CD with Sigstore attestation (predicate: https://slsa.dev/provenance/v1). This is the strongest supply chain integrity signal.

v3.0.1

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Consider requesting the maintainer enable provenance via CI/CD.

v3.0.0

1 finding

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.