Hello 👋

Author of jose^{1 2} here, over the last couple of months to a year I'm tracking an increased number of Stack Overflow questions, github tickets and discussions across numerous runtimes, buzz in general, about firebase-admin "not working on X" (Deno, CF Workers, Bun, you name it).

As these runtimes struggle to properly emulate the node:crypto module the use of the Node.js-only jsonwebtoken module is often the breaking point for some users.

So, if there was appetite for it from the maintainers of firebase-admin, I'd give replacing jsonwebtoken with jose, which works universally^{3 4} in all the different runtimes, whilst utilizing the given runtime's native crypto, a shot.

From the looks of it it would appear jose could replace 3 direct dependencies (jsonwebtoken, jwks-rsa, and node-forge), the resulting transitive dependencies as well of course, all the while having 0 dependencies itself.

I'm probing for interest first before spending the effort as well as to get a buy in because the replacement might require the bump of package.json engines entry from 14 to 18 if the latest (v5.x) version of jose is to be used. v4.x does support 14 but it would only receive future security fixes, not bug fixes. I don't think using 4.x should be a blocker as the functions firebase-admin requires are really stable. The change might also require to update the signature of some of the function's to be promise-based which may or may not lead to a breaking change and in so a major version bump.