auth0
diff --git a/‎.circleci/config.yml
+29-5 b/‎.circleci/config.yml
+29-5
diff --git a/‎decode.js
+46-2 b/‎decode.js
+46-2
diff --git a/‎lib/asymmetricKeyDetailsSupported.js
-3 b/‎lib/asymmetricKeyDetailsSupported.js
-3
diff --git a/‎lib/base64url.js
+9 b/‎lib/base64url.js
+9
diff --git a/‎lib/flags.js
+5 b/‎lib/flags.js
+5
diff --git a/‎lib/oneShotAlgs.js
+53 b/‎lib/oneShotAlgs.js
+53
diff --git a/‎lib/psSupported.js
-3 b/‎lib/psSupported.js
-3
diff --git a/‎lib/rsaPssKeyDetailsSupported.js
-3 b/‎lib/rsaPssKeyDetailsSupported.js
-3
diff --git a/‎lib/validateAsymmetricKey.js
+2-3 b/‎lib/validateAsymmetricKey.js
+2-3
diff --git a/‎package.json
+5-4 b/‎package.json
+5-4
@@ -3,7 +3,7 @@ version: 2.1
 # Thanks to https://github.com/teppeis-sandbox/circleci2-multiple-node-versions
 
 commands:
-  test-nodejs:
+  test-modern:
     steps:
       - run:
           name: Versions
@@ -15,28 +15,50 @@ commands:
       - run:
           name: Test
           command: npm test
+  test-legacy:
+    steps:
+      - run:
+          name: Versions
+          command: npm version
+      - checkout
+      - run:
+          name: Install dependencies
+          command: npm install
+      - run:
+          name: Test
+          command: npm run test-only
 
 jobs:
   node-v12:
     docker:
       - image: node:12
     steps:
-      - test-nodejs
+      - test-legacy
   node-v14:
     docker:
       - image: node:14
     steps:
-      - test-nodejs
+      - test-legacy
   node-v16:
     docker:
       - image: node:16
     steps:
-      - test-nodejs
+      - test-modern
   node-v18:
     docker:
       - image: node:18
     steps:
-      - test-nodejs
+      - test-modern
+  node-v20:
+    docker:
+      - image: node:20
+    steps:
+      - test-modern
+  node-v22:
+    docker:
+      - image: node:22
+    steps:
+      - test-modern
 
 workflows:
   node-multi-build:
@@ -45,3 +67,5 @@ workflows:
       - node-v14
       - node-v16
       - node-v18
+      - node-v20
+      - node-v22
@@ -1,8 +1,52 @@
-var jws = require('jws');
+function payloadFromJWS(encodedPayload, encoding = "utf8") {
+  try {
+    return Buffer.from(encodedPayload, "base64").toString(encoding);
+  } catch (_) {
+    return;
+  }
+}
+
+function headerFromJWS(encodedHeader) {
+  try {
+    return JSON.parse(Buffer.from(encodedHeader, "base64").toString());
+  } catch (_) {
+    return;
+  }
+}
+
+const JWS_REGEX = /^[a-zA-Z0-9\-_]+?\.[a-zA-Z0-9\-_]+?\.([a-zA-Z0-9\-_]+)?$/;
+
+function isValidJws(string) {
+  return JWS_REGEX.test(string);
+}
+
+function jwsDecode(token, opts) {
+  opts = opts || {};
+
+  if (!isValidJws(token)) return null;
+
+  let [header, payload, signature] = token.split('.');
+
+  header = headerFromJWS(header);
+  if (header === undefined) return null;
+
+  payload = payloadFromJWS(payload);
+  if (payload === undefined) return null;
+
+  if (header.typ === "JWT" || opts.json){
+    payload = JSON.parse(payload);
+  }
+
+  return {
+    header,
+    payload,
+    signature,
+  };
+}
 
 module.exports = function (jwt, options) {
   options = options || {};
-  var decoded = jws.decode(jwt, options);
+  const decoded = jwsDecode(jwt, options);
   if (!decoded) { return null; }
   var payload = decoded.payload;
 
 
@@ -0,0 +1,9 @@
+/* istanbul ignore file */
+if (Buffer.isEncoding("base64url")) {
+  module.exports = (buf) => buf.toString("base64url");
+} else {
+  const fromBase64 = (base64) =>
+    // eslint-disable-next-line no-div-regex
+    base64.replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  module.exports = (buf) => fromBase64(buf.toString("base64"));
+}
@@ -0,0 +1,5 @@
+/* istanbul ignore file */
+const [major, minor] = process.versions.node.split('.').map((v) => parseInt(v, 10));
+
+module.exports.RSA_PSS_KEY_DETAILS_SUPPORTED = major > 16 || (major === 16 && minor >= 9);
+module.exports.ASYMMETRIC_KEY_DETAILS_SUPPORTED = major > 15 || (major === 15 && minor >= 7);
@@ -0,0 +1,53 @@
+const { constants } = require("crypto");
+
+module.exports = function(alg, key) {
+  switch (alg) {
+  case 'RS256':
+    return {
+      digest: 'sha256',
+      key: { key, padding: constants.RSA_PKCS1_PADDING },
+    };
+  case 'RS384':
+    return {
+      digest: 'sha384',
+      key: { key, padding: constants.RSA_PKCS1_PADDING },
+    };
+  case 'RS512':
+    return {
+      digest: 'sha512',
+      key: { key, padding: constants.RSA_PKCS1_PADDING },
+    };
+  case 'PS256':
+    return {
+      digest: 'sha256',
+      key: { key, padding: constants.RSA_PKCS1_PSS_PADDING, saltLength: constants.RSA_PSS_SALTLEN_DIGEST },
+    };
+  case 'PS384':
+    return {
+      digest: 'sha384',
+      key: { key, padding: constants.RSA_PKCS1_PSS_PADDING, saltLength: constants.RSA_PSS_SALTLEN_DIGEST },
+    };
+  case 'PS512':
+    return {
+      digest: 'sha512',
+      key: { key, padding: constants.RSA_PKCS1_PSS_PADDING, saltLength: constants.RSA_PSS_SALTLEN_DIGEST },
+    };
+  case 'ES256':
+    return {
+      digest: 'sha256',
+      key: { key, dsaEncoding: 'ieee-p1363' },
+    };
+  case 'ES384':
+    return {
+      digest: 'sha384',
+      key: { key, dsaEncoding: 'ieee-p1363' },
+    };
+  case 'ES512':
+    return {
+      digest: 'sha512',
+      key: { key, dsaEncoding: 'ieee-p1363' },
+    };
+  default:
+    throw new Error('unreachable');
+  }
+};
@@ -1,5 +1,4 @@
-const ASYMMETRIC_KEY_DETAILS_SUPPORTED = require('./asymmetricKeyDetailsSupported');
-const RSA_PSS_KEY_DETAILS_SUPPORTED = require('./rsaPssKeyDetailsSupported');
+const { ASYMMETRIC_KEY_DETAILS_SUPPORTED, RSA_PSS_KEY_DETAILS_SUPPORTED } = require('./flags');
 
 const allowedAlgorithmsForKeys = {
   'ec': ['ES256', 'ES384', 'ES512'],
@@ -52,7 +51,7 @@ module.exports = function(algorithm, key) {
         const length = parseInt(algorithm.slice(-3), 10);
         const { hashAlgorithm, mgf1HashAlgorithm, saltLength } = key.asymmetricKeyDetails;
 
-        if (hashAlgorithm !== `sha${length}` || mgf1HashAlgorithm !== hashAlgorithm) {
+        if (hashAlgorithm !== undefined && (hashAlgorithm !== `sha${length}` || mgf1HashAlgorithm !== hashAlgorithm)) {
           throw new Error(`Invalid key for this operation, its RSA-PSS parameters do not meet the requirements of "alg" ${algorithm}.`);
         }
 
 
@@ -21,7 +21,8 @@
   "scripts": {
     "lint": "eslint .",
     "coverage": "nyc mocha --use_strict",
-    "test": "npm run lint && npm run coverage && cost-of-modules"
+    "test": "npm run lint && npm run coverage && cost-of-modules",
+    "test-only": "mocha --use_strict"
   },
   "repository": {
     "type": "git",
@@ -36,23 +37,23 @@
     "url": "https://github.com/auth0/node-jsonwebtoken/issues"
   },
   "dependencies": {
-    "jws": "^3.2.2",
     "lodash.includes": "^4.3.0",
     "lodash.isboolean": "^3.0.3",
     "lodash.isinteger": "^4.0.4",
     "lodash.isnumber": "^3.0.3",
     "lodash.isplainobject": "^4.0.6",
     "lodash.isstring": "^4.0.1",
     "lodash.once": "^4.0.0",
-    "ms": "^2.1.1",
-    "semver": "^7.5.4"
+    "ms": "^2.1.1"
   },
   "devDependencies": {
     "atob": "^2.1.2",
     "chai": "^4.1.2",
     "conventional-changelog": "~1.1.0",
     "cost-of-modules": "^1.0.1",
     "eslint": "^4.19.1",
+    "jose": "^5.8.0",
+    "jws": "^3.2.2",
     "mocha": "^5.2.0",
     "nsp": "^2.6.2",
     "nyc": "^11.9.0",