Bump jose to v5

[karlismelderis-mckinsey]

Checklist

• I have looked into the Readme and Examples, and have not found a suitable solution or answer.
• I have searched the issues and have not found a suitable solution or answer.
• I have searched the Auth0 Community forums and have not found a suitable solution or answer.
• I agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

I believe jose v4 is no longer supported

Describe the ideal solution

bump dependency to v5

Alternatives and current workarounds

No response

Additional context

No response

[ssipos90]

agreed, seeing as JOSE 4.15 is now flagged by audit:

$ npm audit
# npm audit report

jose  3.0.0 - 4.15.4
Severity: moderate
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - https://github.com/advisories/GHSA-hhhv-q57g-882q
fix available via `npm audit fix`
node_modules/jwks-rsa/node_modules/jose

[panva]

I believe jose v4 is no longer supported

It clearly is https://github.com/panva/jose#supported-versions

agreed, seeing as JOSE 4.15 is now flagged by audit:

4.15.5 and 2.0.7 was released as per the Supported Versions matrix to fix the vulnerability in those release lines.

jose to v5

not necessary, all you need to do is to run whatever equivalent of npm upgrade in your package manager is, 4.15.5 will be installed and there's no longer an issue.

[blindperson]

Hi team, do we have any plan to ship in this pr?
#405

[javierjulio]

Looks like #405 was closed in favor of #402. It would help to have a new release including that security fix.

[novotnyJiri]

Hi guys, any update on this? We would like to upgrade jose to v5 in our codebase since bug fixes and new features are no longer supported in v4. Is there any plan on upgrading jose in node-jwks-rsa to v5?