@mn4367/jwk-to-pem
v2.1.0
Published
Convert a JSON Web Key to a PEM
Readme
Why @mn4367/jwk-to-pem?
This is a 100% compatible fork of jwk-to-pem. All credits still belong to them.
The original jwk-to-pem is widely used and depends on
elliptic which currently (May 4, 2026) has a security problem
but seems to be abandoned. It seems that jwk-to-pem no longer is receiving updates either. This
fork tries to fix that by removing all dependencies and switching to an implementation that uses
built-in Node.js functions only.
@mn4367/jwk-to-pem will only exist as long as the original jwk-to-pem issue remains
unresolved. After that it will be retired and archived. There also won't be any new features, only
security updates (if possible). It is therefore recommended that you avoid using both modules and,
whenever possible, use built-in Node.js functions or other comparable and maintained modules
instead.
Note: The warnings currently emitted by npm audit only affect development dependency modules.
The runtime code of @mn4367/jwk-to-pem is dependency-free and thus causes no audit warnings.
Installation
If you want to use @mn4367/jwk-to-pem directly, add it like every other Node.js module to
package.json:
"dependencies": {
"@mn4367/jwk-to-pem": "latest"
}
or
"devDependencies": {
"@mn4367/jwk-to-pem": "latest"
}To replace an existing direct dependency on jwk-to-pem with the code from @mn4367/jwk-to-pem
change your package.json as follows:
"dependencies": {
"jwk-to-pem": "npm:@mn4367/jwk-to-pem"
}
or
"devDependencies": {
"jwk-to-pem": "npm:@mn4367/jwk-to-pem"
}If you only need to fix npm audit warnings caused by the original jwk-to-pem somewhere in your
dependency tree then add @mn4367/jwk-to-pem to the overrides section in package.json:
"overrides": {
"jwk-to-pem": "npm:@mn4367/jwk-to-pem"
}This will prevent the original jwk-to-pem from being installed (even by transitive dependencies).
Instead, @mn4367/jwk-to-pem will be used. API usage of the module remains unchanged, so all other
modules depending jwk-to-pem should work like before.
Important note: After modifying the file package.json you may have to delete the existing
node_modules folder and the file package-lock.json before doing npm i, otherwise the original
jwk-to-pem module may not be replaced.
References:
- https://github.com/advisories/GHSA-848j-6mx2-7j84 (
elliptic) ellipticissues: 340, 341, 343, 344,- Discussion of
ellipticproblem injwk-to-pem
⬇️ Original README.md down below: ⬇️
jwk-to-pem
Convert a json web key to a PEM for use by OpenSSL or crypto.
Install
npm install jwk-to-pem --saveUsage
var jwkToPem = require('jwk-to-pem'),
jwt = require('jsonwebtoken');
var jwk = { kty: 'EC', crv: 'P-256', x: '...', y: '...' },
pem = jwkToPem(jwk);
jwt.verify(token, pem);Support
key type | support level ---------|-------------- RSA | all RSA keys EC | P-256, P-384, and P-521 curves
API
jwkToPem(Object jwk[, Object options]) -> String
The first parameter should be an Object representing the jwk, it may be public or private. By default, either of the two will be made into a public PEM. The call will throw if the input jwk is malformed or does not represent a valid key.
Option: private Boolean (false)
You may optionally specify that you would like a private PEM. This can be done by passing true to
the private option. The call will throw if the necessary private parameters are not available.
Contributing
Fork the repository. Committing directly against this repository is highly discouraged.
Make your modifications in a branch, updating and writing new unit tests as necessary in the
specdirectory.Ensure that all tests pass with
npm testrebaseyour changes against master. Do not merge.Submit a pull request to this repository. Wait for tests to run and someone to chime in.
Code Style
This repository is configured with EditorConfig and ESLint rules.