jwks-rsa @1.12.4
rejected
This version was rejected.
It did not pass GreenFlagged's security review and is not served by the registry.
The findings and risk dispositions below explain why.
100
Risk Score
—
License
No
Install Scripts
10
Dependencies
26
Dev Dependencies
29.1 KB
Package Size
Published
Maintainers
auth0-ossauth0npmauth0brokkrjesseleoktajeffoktajeffbsmith-auth0sanjay.manikandhanniltorresatkohenry.mcardlenicolas.villalobosjosecarlos-chavez_atkotj.oktasgarcia-atkoroger.chanmaaantonelewisbyrne-oktatarunpreet.kaur
Keywords
jwksrsajwt
Dependencies (10)
| Package | Constraint | Registry Status |
|---|---|---|
| ms | ^2.1.2 | auto_approved |
| axios | ^0.31.0 | auto_approved |
| debug | ^4.1.0 | auto_approved |
| limiter | ^1.1.5 | pending |
| jsonwebtoken | ^8.5.1 | pending |
| lru-memoizer | ^2.1.2 | auto_approved |
| proxy-from-env | ^1.1.0 | auto_approved |
| http-proxy-agent | ^4.0.1 | auto_approved |
| https-proxy-agent | ^5.0.0 | auto_approved |
| @types/express-jwt | 0.0.42 | auto_approved |
Dev Dependencies (26)
| Package | Constraint | Registry Status |
|---|---|---|
| koa | ^2.12.1 | auto_approved |
| nyc | ^15.1.0 | auto_approved |
| chai | ^3.5.0 | auto_approved |
| nock | ^10.0.6 | pending |
| mocha | ^6.2.3 | auto_approved |
| proxy | ^1.0.2 | Not imported |
| eslint | ^5.16.0 | auto_approved |
| rimraf | ^2.7.1 | auto_approved |
| express | ^4.17.1 | auto_approved |
| koa-jwt | ^3.6.0 | Not imported |
| ts-node | ^8.10.2 | pending |
| passport | ^0.4.1 | rejected |
| babel-cli | ^6.9.0 | auto_approved |
| supertest | ^3.4.2 | auto_approved |
| babel-core | ^6.9.0 | auto_approved |
| typescript | ^3.9.5 | auto_approved |
| @types/chai | ^4.2.11 | pending |
| @types/nock | ^10.0.3 | auto_approved |
| @types/node | ^14.14.12 | auto_approved |
| express-jwt | ^6.0.0 | pending |
| @types/mocha | ^5.2.7 | auto_approved |
| babel-eslint | ^8.2.6 | auto_approved |
| passport-jwt | ^4.0.0 | auto_approved |
| babel-preset-es2015 | ^6.9.0 | auto_approved |
| eslint-plugin-babel | ^5.3.0 | auto_approved |
| babel-preset-stage-0 | ^6.5.0 | auto_approved |
Transitive Dependency Tree
50 transitive deps
max depth 6
├─
@types/express-jwt
0.0.42
→ 0.0.42
├─
axios
^0.31.0
→ 0.31.1
├─
debug
^4.1.0
→ 4.4.3
├─
http-proxy-agent
^4.0.1
→ 4.0.1
├─
https-proxy-agent
^5.0.0
→ 5.0.1
├─
jsonwebtoken
^8.5.1
├─
limiter
^1.1.5
├─
lru-memoizer
^2.1.2
→ 2.3.0
├─
ms
^2.1.2
→ 2.1.3
├─
proxy-from-env
^1.1.0
→ 1.1.0
├─
@tootallnate/once
1
→ 1.1.2
├─
@types/express
*
→ 5.0.6
├─
@types/express-unless
*
→ 2.0.3
├─
agent-base
6
→ 6.0.2
├─
debug
4
→ 4.4.3
├─
follow-redirects
^1.15.4
→ 1.16.0
├─
form-data
^4.0.4
→ 4.0.5
├─
lodash.clonedeep
^4.5.0
→ 4.5.0
├─
lru-cache
6.0.0
→ 6.0.0
├─
ms
^2.1.3
→ 2.1.3
├─
proxy-from-env
^1.1.0
→ 1.1.0
├─
@types/body-parser
*
→ 1.19.6
├─
@types/express-serve-static-core
^5.0.0
→ 5.1.1
├─
@types/serve-static
^2
→ 2.2.0
├─
asynckit
^0.4.0
├─
combined-stream
^1.0.8
→ 1.0.8
├─
debug
4
→ 4.4.3
├─
es-set-tostringtag
^2.1.0
→ 2.1.0
├─
hasown
^2.0.2
→ 2.0.3
├─
mime-types
^2.1.12
→ 2.1.35
├─
ms
^2.1.3
→ 2.1.3
├─
yallist
^4.0.0
→ 4.0.0
├─
@types/connect
*
→ 3.4.38
├─
@types/http-errors
*
→ 2.0.5
├─
@types/node
*
→ 25.6.0
├─
@types/qs
*
→ 6.15.0
├─
@types/range-parser
*
→ 1.2.7
├─
@types/send
*
→ 1.2.1
├─
delayed-stream
~1.0.0
→ 1.0.0
├─
es-errors
^1.3.0
→ 1.3.0
├─
function-bind
^1.1.2
→ 1.1.2
├─
get-intrinsic
^1.2.6
→ 1.3.1
├─
has-tostringtag
^1.0.2
→ 1.0.2
├─
hasown
^2.0.2
→ 2.0.3
├─
mime-db
1.52.0
├─
ms
^2.1.3
→ 2.1.3
├─
@types/node
*
→ 25.6.0
├─
async-function
^1.0.0
├─
async-generator-function
^1.0.0
→ 1.0.0
├─
call-bind-apply-helpers
^1.0.2
→ 1.0.2
├─
es-define-property
^1.0.1
→ 1.0.1
├─
es-errors
^1.3.0
→ 1.3.0
├─
es-object-atoms
^1.1.1
→ 1.1.1
├─
function-bind
^1.1.2
→ 1.1.2
├─
generator-function
^2.0.0
→ 2.0.1
├─
get-proto
^1.0.1
├─
gopd
^1.2.0
├─
has-symbols
^1.0.3
→ 1.1.0
├─
has-symbols
^1.1.0
→ 1.1.0
├─
hasown
^2.0.2
→ 2.0.3
├─
math-intrinsics
^1.1.0
→ 1.1.0
├─
undici-types
~7.19.0
→ 7.19.2
├─
es-errors
^1.3.0
→ 1.3.0
├─
function-bind
^1.1.2
→ 1.1.2
├─
undici-types
~7.19.0
→ 7.19.2
Changes from v4.0.1
Dependency Changes
| Change | Package | Version |
|---|---|---|
| added | ms | ^2.1.2 |
| added | axios | ^0.31.0 |
| added | jsonwebtoken | ^8.5.1 |
| added | proxy-from-env | ^1.1.0 |
| added | http-proxy-agent | ^4.0.1 |
| added | https-proxy-agent | ^5.0.0 |
| added | @types/express-jwt | 0.0.42 |
| removed | jose | ^6.1.3 |
| removed | @types/jsonwebtoken | ^9.0.4 |
| changed | debug | ^4.3.4 → ^4.1.0 |
| changed | lru-memoizer | ^3.0.0 → ^2.1.2 |
Script Changes
+ clean+ compile+ prepublishFile Changes
42 added
19 removed
3 modified
size delta: +102.0 KB
SAST Findings (2)
HIGH
Provenance attestation missing — previous versions had it
provenance
This version was published without provenance, but prior versions were published via CI/CD with attestations. This is a strong signal of a potential account compromise or unauthorized publish. The axios attack (March 2026) exhibited exactly this pattern.
HIGH
Publisher changed: GitHub Actions → auth0-oss (on 2026-04-17)
provenance
This version was published by a different npm account than previous versions on 2026-04-17. This could indicate a legitimate maintainer transition or an account compromise.
Review Summary
Risk score: 100 (capped from 133). Findings: 2 high (+50), 8 medium (+80), 1 low (+3).
Commit: 810138073910 Browse source
Published to npm: