Skip to content

chore(client): internalize jwt-decode (KNO-13812)#1021

Closed
kylemcd wants to merge 1 commit into
kyle-kno-13814-remove-the-clsx-dependency-from-knocklabsreact-nativefrom
kyle-kno-13812-internalize-jwt-decode-in-knocklabsclient-and-drop-the
Closed

chore(client): internalize jwt-decode (KNO-13812)#1021
kylemcd wants to merge 1 commit into
kyle-kno-13814-remove-the-clsx-dependency-from-knocklabsreact-nativefrom
kyle-kno-13812-internalize-jwt-decode-in-knocklabsclient-and-drop-the

Conversation

@kylemcd

@kylemcd kylemcd commented Jun 17, 2026

Copy link
Copy Markdown
Member

Description

Internalizes jwt-decode in @knocklabs/client and drops the runtime dependency. The package only base64url-decodes a JWT payload and JSON.parses it (no signature verification), so it is reimplemented as a small internal module.

What changed

  • Added packages/client/src/jwt/ — a dedicated folder containing the decoder (jwtDecode, the JwtPayload type, and InvalidTokenError).
  • Repointed the imports in knock.ts (value) and interfaces.ts (type), and updated the mock in test/knock.test.ts to target the internal module.
  • Added packages/client/test/jwt.test.ts covering standard claims, custom-claim typing, unicode payloads, base64url padding, and InvalidTokenError cases.
  • Dropped jwt-decode from packages/client/package.json and updated the lockfile (it was not a transitive dependency of anything else, so it is fully removed).

Why: Part of the npm supply chain hardening effort. @knocklabs/client is published, so dropping the dependency also removes it from every consumer's install graph.

Linear: KNO-13812


Stack (bottom → top) — npm supply chain hardening:

  1. chore(react): remove clsx dependency (KNO-13814) #1020 — remove clsx from @knocklabs/react
  2. chore(client): internalize jwt-decode (KNO-13812) #1021 — internalize jwt-decode in @knocklabs/client ◀ this PR
  3. chore(react): internalize lodash.debounce (KNO-13811) #1022 — internalize lodash.debounce in @knocklabs/react
  4. chore(react-core): internalize fast-deep-equal (KNO-13810) #1023 — internalize fast-deep-equal in @knocklabs/react-core

Checklist

  • Tests have been added (test/jwt.test.ts) and the existing knock.test.ts suite passes.

@linear-code

linear-code Bot commented Jun 17, 2026

Copy link
Copy Markdown

KNO-13812

@vercel

vercel Bot commented Jun 17, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
javascript-ms-teams-connect-example Ready Ready Preview, Comment Jun 17, 2026 2:40pm
javascript-nextjs-example Ready Ready Preview, Comment Jun 17, 2026 2:40pm
javascript-slack-connect-example Ready Ready Preview, Comment Jun 17, 2026 2:40pm
javascript-slack-kit-example Ready Ready Preview, Comment Jun 17, 2026 2:40pm

Request Review

kylemcd commented Jun 17, 2026

Copy link
Copy Markdown
Member Author

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

This stack of pull requests is managed by Graphite. Learn more about stacking.

@kylemcd kylemcd force-pushed the kyle-kno-13812-internalize-jwt-decode-in-knocklabsclient-and-drop-the branch from c9a48f5 to 66bf33e Compare June 17, 2026 14:36
@changeset-bot

changeset-bot Bot commented Jun 17, 2026

Copy link
Copy Markdown

🦋 Changeset detected

Latest commit: 66bf33e

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package
Name Type
@knocklabs/client Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@codecov

codecov Bot commented Jun 17, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 85.00000% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.56%. Comparing base (d8d7d22) to head (66bf33e).
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
packages/client/src/jwt/index.ts 84.74% 9 Missing ⚠️
Additional details and impacted files
@@                                           Coverage Diff                                            @@
##           kyle-kno-13814-remove-the-clsx-dependency-from-knocklabsreact-native    #1021      +/-   ##
========================================================================================================
+ Coverage                                                                 63.44%   63.56%   +0.12%     
========================================================================================================
  Files                                                                       208      209       +1     
  Lines                                                                     10000    10059      +59     
  Branches                                                                   1280     1298      +18     
========================================================================================================
+ Hits                                                                       6344     6394      +50     
- Misses                                                                     3631     3640       +9     
  Partials                                                                     25       25              
Files with missing lines Coverage Δ
packages/client/src/knock.ts 100.00% <100.00%> (ø)
packages/client/src/jwt/index.ts 84.74% <84.74%> (ø)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant