oauth4webapi 2.3.0 → 2.4.1

package/README.md

@@ -1,13 +1,13 @@
-# OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes
+# OAuth 2 / OpenID Connect for JavaScript Runtimes
 
-This software is a collection of routines upon which framework-specific client modules may be written. Its objective is to support and, where possible, enforce secure and current best practices using only capabilities common to Browser and Non-Browser JavaScript-based runtime environments.
+This software provides a collection of routines that can be used to build client modules for OAuth 2.1, OAuth 2.0 with the latest Security Best Current Practices (BCP), and FAPI 2.0, as well as OpenID Connect where applicable. The primary goal of this software is to promote secure and up-to-date best practices while using only the capabilities common to both browser and non-browser JavaScript runtimes.
 
-Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the latest Security BCP, and FAPI 2.0. Where applicable OpenID Connect is also supported.
+## Features
 
-## In Scope & Implemented
+The following features are currently in scope and implemented in this software:
 
 - Authorization Server Metadata discovery
-- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), PKCE
+- Authorization Code Flow (profiled under OpenID Connect 1.0, OAuth 2.0, OAuth 2.1, and FAPI 2.0), with PKCE
 - Refresh Token, Device Authorization, and Client Credentials Grants
 - Demonstrating Proof-of-Possession at the Application Layer (DPoP)
 - Token Introspection and Revocation
@@ -26,6 +26,8 @@ Target profiles of this software are OAuth 2.1, OAuth 2.0 complemented by the la
 
 ## Dependencies: 0
 
+`oauth4webapi` has no dependencies and it exports tree-shakeable ESM.
+
 ## [Documentation](docs/README.md)
 
 ## [Examples](examples/README.md)
@@ -39,7 +41,7 @@ import * as oauth2 from 'oauth4webapi'
 **`example`** Deno import
 
 ```js
-import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.3.0/mod.ts'
+import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.4.1/mod.ts'
 ```
 
 - Authorization Code Flow - OpenID Connect [source](examples/code.ts), or plain OAuth 2 [source](examples/oauth.ts)
@@ -54,9 +56,8 @@ import * as oauth2 from 'https://deno.land/x/oauth4webapi@v2.3.0/mod.ts'
 
 ## Supported Runtimes
 
-The supported JavaScript runtimes include ones that support the utilized Web API globals and standard built-in objects
+The supported JavaScript runtimes include those that support the utilized Web API globals and standard built-in objects. These are _(but are not limited to)_:
 
-These are _(this is not an exhaustive list)_:
 - Browsers
 - Bun
 - Cloudflare Workers
@@ -67,6 +68,8 @@ These are _(this is not an exhaustive list)_:
 
 ## Out of scope
 
+The following features are currently out of scope:
+
 - CommonJS
 - Implicit, Hybrid, and Resource Owner Password Credentials Flows
 - Mutual-TLS Client Authentication and Certificate-Bound Access Tokens

package/build/index.d.ts

@@ -1,9 +1,13 @@
-type JsonObject = {
+/** JSON Object */
+export type JsonObject = {
     [Key in string]?: JsonValue;
 };
-type JsonArray = JsonValue[];
-type JsonPrimitive = string | number | boolean | null;
-type JsonValue = JsonPrimitive | JsonObject | JsonArray;
+/** JSON Array */
+export type JsonArray = JsonValue[];
+/** JSON Primitives */
+export type JsonPrimitive = string | number | boolean | null;
+/** JSON Values */
+export type JsonValue = JsonPrimitive | JsonObject | JsonArray;
 /**
  * Interface to pass an asymmetric private key and, optionally, its associated JWK Key ID to be
  * added as a `kid` JOSE Header Parameter.
@@ -45,72 +49,74 @@ export type ClientAuthenticationMethod = 'client_secret_basic' | 'client_secret_
 /**
  * Supported JWS `alg` Algorithm identifiers.
  *
- * @example CryptoKey algorithm for the `PS256`, `PS384`, or `PS512` JWS Algorithm Identifiers
+ * @example
+ *
+ * CryptoKey algorithm for the `PS256`, `PS384`, or `PS512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface RSAPSSAlgorithm extends RsaHashedKeyAlgorithm {
+ * interface PS256 extends RsaHashedKeyAlgorithm {
  *   name: 'RSA-PSS'
- *   hash: { name: 'SHA-256' | 'SHA-384' | 'SHA-512' }
- * }
- *
- * interface PS256 extends RSAPSSAlgorithm {
- *   hash: { name: 'SHA-256' }
+ *   hash: 'SHA-256'
  * }
  *
- * interface PS384 extends RSAPSSAlgorithm {
- *   hash: { name: 'SHA-384' }
+ * interface PS384 extends RsaHashedKeyAlgorithm {
+ *   name: 'RSA-PSS'
+ *   hash: 'SHA-384'
  * }
  *
- * interface PS512 extends RSAPSSAlgorithm {
- *   hash: { name: 'SHA-512' }
+ * interface PS512 extends RsaHashedKeyAlgorithm {
+ *   name: 'RSA-PSS'
+ *   hash: 'SHA-512'
  * }
  * ```
  *
- * @example CryptoKey algorithm for the `ES256`, `ES384`, or `ES512` JWS Algorithm Identifiers
+ * @example
+ *
+ * CryptoKey algorithm for the `ES256`, `ES384`, or `ES512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface ECDSAAlgorithm extends EcKeyAlgorithm {
+ * interface ES256 extends EcKeyAlgorithm {
  *   name: 'ECDSA'
- *   namedCurve: 'P-256' | 'P-384' | 'P-521'
- * }
- *
- * interface ES256 extends ECDSAAlgorithm {
  *   namedCurve: 'P-256'
  * }
  *
- * interface ES384 extends ECDSAAlgorithm {
+ * interface ES384 extends EcKeyAlgorithm {
+ *   name: 'ECDSA'
  *   namedCurve: 'P-384'
  * }
  *
- * interface ES512 extends ECDSAAlgorithm {
+ * interface ES512 extends EcKeyAlgorithm {
+ *   name: 'ECDSA'
  *   namedCurve: 'P-521'
  * }
  * ```
  *
- * @example CryptoKey algorithm for the `RS256`, `RS384`, or `RS512` JWS Algorithm Identifiers
+ * @example
+ *
+ * CryptoKey algorithm for the `RS256`, `RS384`, or `RS512` JWS Algorithm Identifiers
  *
  * ```ts
- * interface ECDSAAlgorithm extends RsaHashedKeyAlgorithm {
+ * interface RS256 extends RsaHashedKeyAlgorithm {
  *   name: 'RSASSA-PKCS1-v1_5'
- *   hash: { name: 'SHA-256' | 'SHA-384' | 'SHA-512' }
- * }
- *
- * interface RS256 extends ECDSAAlgorithm {
- *   hash: { name: 'SHA-256' }
+ *   hash: 'SHA-256'
  * }
  *
- * interface RS384 extends ECDSAAlgorithm {
- *   hash: { name: 'SHA-384' }
+ * interface RS384 extends RsaHashedKeyAlgorithm {
+ *   name: 'RSASSA-PKCS1-v1_5'
+ *   hash: 'SHA-384'
  * }
  *
- * interface RS512 extends ECDSAAlgorithm {
- *   hash: { name: 'SHA-512' }
+ * interface RS512 extends RsaHashedKeyAlgorithm {
+ *   name: 'RSASSA-PKCS1-v1_5'
+ *   hash: 'SHA-512'
  * }
  * ```
  *
- * @example CryptoKey algorithm for the `EdDSA` JWS Algorithm Identifier (Experimental)
+ * @example
+ *
+ * CryptoKey algorithm for the `EdDSA` JWS Algorithm Identifier (Experimental)
  *
- * Runtime support for this algorithm is very limited, it depends on the [Secure Curves in the Web
+ * Runtime support for this algorithm is limited, it depends on the [Secure Curves in the Web
  * Cryptography API](https://wicg.github.io/webcrypto-secure-curves/) proposal which is yet to be
  * widely adopted. If the proposal changes this implementation will follow up with a minor release.
  *
@@ -479,7 +485,7 @@ export interface Client {
      *
      * @ignore during Documentation generation but part of the public API
      *
-     * @example Tolerate 30 seconds clock skew when validating JWT claims like `exp` or `nbf`.
+     * @example Tolerate 30 seconds clock skew when validating JWT claims like exp or nbf.
      *
      * ```ts
      * const client: oauth.Client = {
@@ -492,18 +498,24 @@ export interface Client {
     [clockTolerance]?: number;
     [metadata: string]: JsonValue | undefined;
 }
+/** @group Errors */
 export declare class UnsupportedOperationError extends Error {
     constructor(message?: string);
 }
+/** @group Errors */
 export declare class OperationProcessingError extends Error {
-    constructor(message: string);
+    constructor(message: string, options?: {
+        cause?: unknown;
+    });
 }
 export interface HttpRequestOptions {
     /**
      * An AbortSignal instance, or a factory returning one, to abort the HTTP Request(s) triggered by
      * this function's invocation.
      *
-     * @example A 5000ms timeout AbortSignal for every request
+     * @example
+     *
+     * A 5000ms timeout AbortSignal for every request
      *
      * ```js
      * const signal = () => AbortSignal.timeout(5_000) // Note: AbortSignal.timeout may not yet be available in all runtimes.
@@ -530,6 +542,9 @@ export interface DiscoveryRequestOptions extends HttpRequestOptions {
  *
  * @param issuerIdentifier Issuer Identifier to resolve the well-known discovery URI for.
  *
+ * @group Authorization Server Metadata
+ * @group OpenID Connect (OIDC) Discovery
+ *
  * @see [RFC 8414 - OAuth 2.0 Authorization Server Metadata](https://www.rfc-editor.org/rfc/rfc8414.html#section-3)
  * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
  */
@@ -543,6 +558,9 @@ export declare function discoveryRequest(issuerIdentifier: URL, options?: Discov
  *
  * @returns Resolves with the discovered Authorization Server Metadata.
  *
+ * @group Authorization Server Metadata
+ * @group OpenID Connect (OIDC) Discovery
+ *
  * @see [RFC 8414 - OAuth 2.0 Authorization Server Metadata](https://www.rfc-editor.org/rfc/rfc8414.html#section-3)
  * @see [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig)
  */
@@ -550,18 +568,27 @@ export declare function processDiscoveryResponse(expectedIssuerIdentifier: URL,
 /**
  * Generate random `code_verifier` value.
  *
+ * @group Utilities
+ * @group Authorization Code Grant
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group Proof Key for Code Exchange by OAuth Public Clients (PKCE)
+ *
  * @see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4)
  */
 export declare function generateRandomCodeVerifier(): string;
 /**
  * Generate random `state` value.
  *
+ * @group Utilities
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.1)
  */
 export declare function generateRandomState(): string;
 /**
  * Generate random `nonce` value.
  *
+ * @group Utilities
+ *
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#IDToken)
  */
 export declare function generateRandomNonce(): string;
@@ -571,6 +598,10 @@ export declare function generateRandomNonce(): string;
  *
  * @param codeVerifier `code_verifier` value generated e.g. from {@link generateRandomCodeVerifier}.
  *
+ * @group Authorization Code Grant
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group Proof Key for Code Exchange by OAuth Public Clients (PKCE)
+ *
  * @see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4)
  */
 export declare function calculatePKCECodeChallenge(codeVerifier: string): Promise<string>;
@@ -611,6 +642,10 @@ export interface PushedAuthorizationRequestOptions extends HttpRequestOptions, A
  * @param client Client Metadata.
  * @param privateKey Private key to sign the Request Object with.
  *
+ * @group Authorization Code Grant
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group JWT-Secured Authorization Request (JAR)
+ *
  * @see [RFC 9101 - The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)](https://www.rfc-editor.org/rfc/rfc9101.html#name-request-object-2)
  */
 export declare function issueRequestObject(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], privateKey: CryptoKey | PrivateKey): Promise<string>;
@@ -622,8 +657,10 @@ export declare function issueRequestObject(as: AuthorizationServer, client: Clie
  * @param client Client Metadata.
  * @param parameters Authorization Request parameters.
  *
- * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-with-pushed-authorizat)
+ * @group Pushed Authorization Requests (PAR)
+ *
+ * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests (PAR)](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-with-pushed-authorizat)
  */
 export declare function pushedAuthorizationRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: PushedAuthorizationRequestOptions): Promise<Response>;
 export interface PushedAuthorizationResponse {
@@ -639,7 +676,19 @@ export interface OAuth2Error {
     readonly scope?: string;
     readonly [parameter: string]: JsonValue | undefined;
 }
-/** A helper function used to determine if a response processing function returned an OAuth2Error. */
+/**
+ * A helper function used to determine if a response processing function returned an OAuth2Error.
+ *
+ * @group Utilities
+ * @group Client Credentials Grant
+ * @group Device Authorization Grant
+ * @group Authorization Code Grant
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group Token Introspection
+ * @group Token Revocation
+ * @group Refreshing an Access Token
+ * @group Pushed Authorization Requests (PAR)
+ */
 export declare function isOAuth2Error(input?: ReturnTypes): input is OAuth2Error;
 export interface WWWAuthenticateChallengeParameters {
     readonly realm?: string;
@@ -649,11 +698,11 @@ export interface WWWAuthenticateChallengeParameters {
     readonly algs?: string;
     readonly scope?: string;
     /** NOTE: because the parameter names are case insensitive they are always returned lowercased */
-    readonly [parameter: string]: string | undefined;
+    readonly [parameter: Lowercase<string>]: string | undefined;
 }
 export interface WWWAuthenticateChallenge {
     /** NOTE: because the value is case insensitive it is always returned lowercased */
-    readonly scheme: string;
+    readonly scheme: Lowercase<string>;
     readonly parameters: WWWAuthenticateChallengeParameters;
 }
 /**
@@ -661,6 +710,17 @@ export interface WWWAuthenticateChallenge {
  *
  * @returns Array of {@link WWWAuthenticateChallenge} objects. Their order from the response is
  *   preserved. `undefined` when there wasn't a `WWW-Authenticate` HTTP Header returned.
+ *
+ * @group Accessing Protected Resources
+ * @group Utilities
+ * @group Client Credentials Grant
+ * @group Device Authorization Grant
+ * @group Authorization Code Grant
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group Token Introspection
+ * @group Token Revocation
+ * @group Refreshing an Access Token
+ * @group Pushed Authorization Requests (PAR)
  */
 export declare function parseWwwAuthenticateChallenges(response: Response): WWWAuthenticateChallenge[] | undefined;
 /**
@@ -674,7 +734,10 @@ export declare function parseWwwAuthenticateChallenges(response: Response): WWWA
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
- * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
+ *
+ * @group Pushed Authorization Requests (PAR)
+ *
+ * @see [RFC 9126 - OAuth 2.0 Pushed Authorization Requests (PAR)](https://www.rfc-editor.org/rfc/rfc9126.html#name-pushed-authorization-reques)
  */
 export declare function processPushedAuthorizationResponse(as: AuthorizationServer, client: Client, response: Response): Promise<PushedAuthorizationResponse | OAuth2Error>;
 export interface ProtectedResourceRequestOptions extends Omit<HttpRequestOptions, 'headers'>, DPoPRequestOptions {
@@ -700,8 +763,10 @@ export interface ProtectedResourceRequestOptions extends Omit<HttpRequestOptions
  * @param headers Headers for the request.
  * @param body Request body compatible with the Fetch API and the request's method.
  *
+ * @group Accessing Protected Resources
+ *
  * @see [RFC 6750 - The OAuth 2.0 Authorization Framework: Bearer Token Usage](https://www.rfc-editor.org/rfc/rfc6750.html#section-2.1)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-protected-resource-access)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access)
  */
 export declare function protectedResourceRequest(accessToken: string, method: 'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH' | string, url: URL, headers: Headers, body: RequestInit['body'], options?: ProtectedResourceRequestOptions): Promise<Response>;
 export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestOptions {
@@ -716,8 +781,11 @@ export interface UserInfoRequestOptions extends HttpRequestOptions, DPoPRequestO
  * @param client Client Metadata.
  * @param accessToken Access Token value.
  *
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group OpenID Connect (OIDC) UserInfo
+ *
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-protected-resource-access)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-protected-resource-access)
  */
 export declare function userInfoRequest(as: AuthorizationServer, client: Client, accessToken: string, options?: UserInfoRequestOptions): Promise<Response>;
 export interface UserInfoAddress {
@@ -774,6 +842,10 @@ export declare const skipSubjectCheck: unique symbol;
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group OpenID Connect (OIDC) UserInfo
+ *
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#UserInfo)
  */
 export declare function processUserInfoResponse(as: AuthorizationServer, client: Client, expectedSubject: string | typeof skipSubjectCheck, response: Response): Promise<UserInfoResponse>;
@@ -789,9 +861,11 @@ export interface TokenEndpointRequestOptions extends HttpRequestOptions, Authent
  * @param client Client Metadata.
  * @param refreshToken Refresh Token value.
  *
+ * @group Refreshing an Access Token
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function refreshTokenGrantRequest(as: AuthorizationServer, client: Client, refreshToken: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 /**
@@ -800,6 +874,8 @@ export declare function refreshTokenGrantRequest(as: AuthorizationServer, client
  * @param ref Value previously resolved from {@link processAuthorizationCodeOpenIDResponse}.
  *
  * @returns JWT Claims Set from an ID Token.
+ *
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
  */
 export declare function getValidatedIdTokenClaims(ref: OpenIDTokenEndpointResponse): IDToken;
 /**
@@ -823,6 +899,9 @@ export declare function getValidatedIdTokenClaims(ref: TokenEndpointResponse): I
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
+ * @group Refreshing an Access Token
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-6)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokens)
  */
@@ -838,10 +917,13 @@ export declare function processRefreshTokenResponse(as: AuthorizationServer, cli
  * @param redirectUri `redirect_uri` value used in the authorization request.
  * @param codeVerifier PKCE `code_verifier` to send to the token endpoint.
  *
+ * @group Authorization Code Grant
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
  * @see [RFC 7636 - Proof Key for Code Exchange by OAuth Public Clients (PKCE)](https://www.rfc-editor.org/rfc/rfc7636.html#section-4)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function authorizationCodeGrantRequest(as: AuthorizationServer, client: Client, callbackParameters: URLSearchParams, redirectUri: string, codeVerifier: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 interface JWTPayload {
@@ -871,7 +953,7 @@ export interface TokenEndpointResponse {
     readonly refresh_token?: string;
     readonly scope?: string;
     /** NOTE: because the value is case insensitive it is always returned lowercased */
-    readonly token_type: string;
+    readonly token_type: 'bearer' | 'dpop' | Lowercase<string>;
     readonly [parameter: string]: JsonValue | undefined;
 }
 export interface OpenIDTokenEndpointResponse {
@@ -881,7 +963,7 @@ export interface OpenIDTokenEndpointResponse {
     readonly refresh_token?: string;
     readonly scope?: string;
     /** NOTE: because the value is case insensitive it is always returned lowercased */
-    readonly token_type: string;
+    readonly token_type: 'bearer' | 'dpop' | Lowercase<string>;
     readonly [parameter: string]: JsonValue | undefined;
 }
 export interface OAuth2TokenEndpointResponse {
@@ -891,7 +973,7 @@ export interface OAuth2TokenEndpointResponse {
     readonly refresh_token?: string;
     readonly scope?: string;
     /** NOTE: because the value is case insensitive it is always returned lowercased */
-    readonly token_type: string;
+    readonly token_type: 'bearer' | 'dpop' | Lowercase<string>;
     readonly [parameter: string]: JsonValue | undefined;
 }
 export interface ClientCredentialsGrantResponse {
@@ -899,7 +981,7 @@ export interface ClientCredentialsGrantResponse {
     readonly expires_in?: number;
     readonly scope?: string;
     /** NOTE: because the value is case insensitive it is always returned lowercased */
-    readonly token_type: string;
+    readonly token_type: 'bearer' | 'dpop' | Lowercase<string>;
     readonly [parameter: string]: JsonValue | undefined;
 }
 /**
@@ -930,6 +1012,9 @@ export declare const skipAuthTimeCheck: unique symbol;
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth)
  */
@@ -945,6 +1030,9 @@ export declare function processAuthorizationCodeOpenIDResponse(as: Authorization
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
+ * @group Authorization Code Grant
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1)
  */
 export declare function processAuthorizationCodeOAuth2Response(as: AuthorizationServer, client: Client, response: Response): Promise<OAuth2TokenEndpointResponse | OAuth2Error>;
@@ -957,8 +1045,10 @@ export interface ClientCredentialsGrantRequestOptions extends HttpRequestOptions
  * @param as Authorization Server Metadata.
  * @param client Client Metadata.
  *
+ * @group Client Credentials Grant
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function clientCredentialsGrantRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: ClientCredentialsGrantRequestOptions): Promise<Response>;
 /**
@@ -972,6 +1062,9 @@ export declare function clientCredentialsGrantRequest(as: AuthorizationServer, c
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
+ * @group Client Credentials Grant
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.4)
  */
 export declare function processClientCredentialsResponse(as: AuthorizationServer, client: Client, response: Response): Promise<ClientCredentialsGrantResponse | OAuth2Error>;
@@ -987,6 +1080,9 @@ export interface RevocationRequestOptions extends HttpRequestOptions, Authentica
  * @param client Client Metadata.
  * @param token Token to revoke. You can provide the `token_type_hint` parameter via
  *   {@link RevocationRequestOptions.additionalParameters options}.
+ *
+ * @group Token Revocation
+ *
  * @see [RFC 7009 - OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009.html#section-2)
  */
 export declare function revocationRequest(as: AuthorizationServer, client: Client, token: string, options?: RevocationRequestOptions): Promise<Response>;
@@ -998,6 +1094,9 @@ export declare function revocationRequest(as: AuthorizationServer, client: Clien
  *
  * @returns Resolves with `undefined` when the request was successful, or an object representing an
  *   OAuth 2.0 protocol style error.
+ *
+ * @group Token Revocation
+ *
  * @see [RFC 7009 - OAuth 2.0 Token Revocation](https://www.rfc-editor.org/rfc/rfc7009.html#section-2)
  */
 export declare function processRevocationResponse(response: Response): Promise<undefined | OAuth2Error>;
@@ -1023,6 +1122,9 @@ export interface IntrospectionRequestOptions extends HttpRequestOptions, Authent
  * @param client Client Metadata.
  * @param token Token to introspect. You can provide the `token_type_hint` parameter via
  *   {@link IntrospectionRequestOptions.additionalParameters options}.
+ *
+ * @group Token Introspection
+ *
  * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2)
  * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-4)
  */
@@ -1060,6 +1162,9 @@ export interface IntrospectionResponse {
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
+ * @group Token Introspection
+ *
  * @see [RFC 7662 - OAuth 2.0 Token Introspection](https://www.rfc-editor.org/rfc/rfc7662.html#section-2)
  * @see [draft-ietf-oauth-jwt-introspection-response-12 - JWT Response for OAuth Token Introspection](https://www.ietf.org/archive/id/draft-ietf-oauth-jwt-introspection-response-12.html#section-5)
  */
@@ -1074,6 +1179,10 @@ export declare function processIntrospectionResponse(as: AuthorizationServer, cl
  *
  * @returns Validated Authorization Response parameters or Authorization Error Response.
  *
+ * @group Authorization Code Grant
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ * @group JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
+ *
  * @see [JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)](https://openid.net/specs/openid-financial-api-jarm.html)
  */
 export declare function validateJwtAuthResponse(as: AuthorizationServer, client: Client, parameters: URLSearchParams | URL, expectedState?: string | typeof expectNoState | typeof skipStateCheck, options?: HttpRequestOptions): Promise<URLSearchParams | OAuth2Error>;
@@ -1105,6 +1214,9 @@ export declare const expectNoState: unique symbol;
  *
  * @returns Validated Authorization Response parameters or Authorization Error Response.
  *
+ * @group Authorization Code Grant
+ * @group Authorization Code Grant w/ OpenID Connect (OIDC)
+ *
  * @see [RFC 6749 - The OAuth 2.0 Authorization Framework](https://www.rfc-editor.org/rfc/rfc6749.html#section-4.1.2)
  * @see [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html#ClientAuthentication)
  * @see [RFC 9207 - OAuth 2.0 Authorization Server Issuer Identification](https://www.rfc-editor.org/rfc/rfc9207.html)
@@ -1121,6 +1233,8 @@ export interface DeviceAuthorizationRequestOptions extends HttpRequestOptions, A
  * @param client Client Metadata.
  * @param parameters Device Authorization Request parameters.
  *
+ * @group Device Authorization Grant
+ *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.1)
  */
 export declare function deviceAuthorizationRequest(as: AuthorizationServer, client: Client, parameters: URLSearchParams | Record<string, string> | string[][], options?: DeviceAuthorizationRequestOptions): Promise<Response>;
@@ -1144,6 +1258,9 @@ export interface DeviceAuthorizationResponse {
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
+ * @group Device Authorization Grant
+ *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.1)
  */
 export declare function processDeviceAuthorizationResponse(as: AuthorizationServer, client: Client, response: Response): Promise<DeviceAuthorizationResponse | OAuth2Error>;
@@ -1155,8 +1272,10 @@ export declare function processDeviceAuthorizationResponse(as: AuthorizationServ
  * @param client Client Metadata.
  * @param deviceCode Device Code.
  *
+ * @group Device Authorization Grant
+ *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
- * @see [draft-ietf-oauth-dpop-16 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.ietf.org/archive/id/draft-ietf-oauth-dpop-16.html#name-dpop-access-token-request)
+ * @see [RFC 9449 - OAuth 2.0 Demonstrating Proof-of-Possession at the Application Layer (DPoP)](https://www.rfc-editor.org/rfc/rfc9449.html#name-dpop-access-token-request)
  */
 export declare function deviceCodeGrantRequest(as: AuthorizationServer, client: Client, deviceCode: string, options?: TokenEndpointRequestOptions): Promise<Response>;
 /**
@@ -1170,6 +1289,9 @@ export declare function deviceCodeGrantRequest(as: AuthorizationServer, client:
  * @returns Resolves with an object representing the parsed successful response, or an object
  *   representing an OAuth 2.0 protocol style error. Use {@link isOAuth2Error} to determine if an
  *   OAuth 2.0 error was returned.
+ *
+ * @group Device Authorization Grant
+ *
  * @see [RFC 8628 - OAuth 2.0 Device Authorization Grant](https://www.rfc-editor.org/rfc/rfc8628.html#section-3.4)
  */
 export declare function processDeviceCodeResponse(as: AuthorizationServer, client: Client, response: Response): Promise<TokenEndpointResponse | OAuth2Error>;
@@ -1185,6 +1307,8 @@ export interface GenerateKeyPairOptions {
  * Generates a CryptoKeyPair for a given JWS `alg` Algorithm identifier.
  *
  * @param alg Supported JWS `alg` Algorithm identifier.
+ *
+ * @group Utilities
  */
 export declare function generateKeyPair(alg: JWSAlgorithm, options?: GenerateKeyPairOptions): Promise<CryptoKeyPair>;
 export {};

package/build/index.js

@@ -1,7 +1,7 @@
 let USER_AGENT;
 if (typeof navigator === 'undefined' || !navigator.userAgent?.startsWith?.('Mozilla/5.0 ')) {
     const NAME = 'oauth4webapi';
-    const VERSION = 'v2.3.0';
+    const VERSION = 'v2.4.1';
     USER_AGENT = `${NAME}/${VERSION}`;
 }
 export const clockSkew = Symbol();
@@ -34,8 +34,8 @@ function decodeBase64Url(input) {
         }
         return bytes;
     }
-    catch {
-        throw new TypeError('The input to be decoded is not correctly encoded.');
+    catch (cause) {
+        throw new OPE('The input to be decoded is not correctly encoded.', { cause });
     }
 }
 function b64u(input) {
@@ -98,8 +98,8 @@ export class UnsupportedOperationError extends Error {
     }
 }
 export class OperationProcessingError extends Error {
-    constructor(message) {
-        super(message);
+    constructor(message, options) {
+        super(message, options);
         this.name = this.constructor.name;
         Error.captureStackTrace?.(this, this.constructor);
     }
@@ -194,12 +194,13 @@ export async function discoveryRequest(issuerIdentifier, options) {
     }
     const headers = prepareHeaders(options?.headers);
     headers.set('accept', 'application/json');
-    return fetch(url.href, {
+    const request = new Request(url.href, {
         headers,
         method: 'GET',
         redirect: 'manual',
         signal: options?.signal ? signal(options.signal) : null,
-    }).then(processDpopNonce);
+    });
+    return fetch(request).then(processDpopNonce);
 }
 function validateString(input) {
     return typeof input === 'string' && input.length !== 0;
@@ -219,8 +220,8 @@ export async function processDiscoveryResponse(expectedIssuerIdentifier, respons
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');
@@ -249,7 +250,7 @@ export async function calculatePKCECodeChallenge(codeVerifier) {
     if (!validateString(codeVerifier)) {
         throw new TypeError('"codeVerifier" must be a non-empty string');
     }
-    return b64u(await crypto.subtle.digest({ name: 'SHA-256' }, buf(codeVerifier)));
+    return b64u(await crypto.subtle.digest('SHA-256', buf(codeVerifier)));
 }
 function getKeyAndKid(input) {
     if (input instanceof CryptoKey) {
@@ -473,8 +474,8 @@ export async function issueRequestObject(as, client, parameters, privateKey) {
         try {
             claims.claims = JSON.parse(value);
         }
-        catch {
-            throw new OPE('failed to parse the "claims" parameter as JSON');
+        catch (cause) {
+            throw new OPE('failed to parse the "claims" parameter as JSON', { cause });
         }
         if (!isJsonObject(claims.claims)) {
             throw new OPE('"claims" parameter must be a top level object');
@@ -511,9 +512,7 @@ async function dpopProofJwt(headers, options, url, htm, clockSkew, accessToken)
         htm,
         nonce,
         htu: `${url.origin}${url.pathname}`,
-        ath: accessToken
-            ? b64u(await crypto.subtle.digest({ name: 'SHA-256' }, buf(accessToken)))
-            : undefined,
+        ath: accessToken ? b64u(await crypto.subtle.digest('SHA-256', buf(accessToken))) : undefined,
     }, privateKey);
     headers.set('dpop', proof);
 }
@@ -627,8 +626,8 @@ export async function processPushedAuthorizationResponse(as, client, response) {
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');
@@ -656,13 +655,14 @@ export async function protectedResourceRequest(accessToken, method, url, headers
         await dpopProofJwt(headers, options.DPoP, url, 'GET', getClockSkew({ [clockSkew]: options?.clockSkew }), accessToken);
         headers.set('authorization', `DPoP ${accessToken}`);
     }
-    return fetch(url.href, {
+    const request = new Request(url.href, {
         body,
         headers,
         method,
         redirect: 'manual',
         signal: options?.signal ? signal(options.signal) : null,
-    }).then(processDpopNonce);
+    });
+    return fetch(request).then(processDpopNonce);
 }
 export async function userInfoRequest(as, client, accessToken, options) {
     assertAs(as);
@@ -796,8 +796,8 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
         try {
             json = await response.json();
         }
-        catch {
-            throw new OPE('failed to parse "response" body as JSON');
+        catch (cause) {
+            throw new OPE('failed to parse "response" body as JSON', { cause });
         }
     }
     if (!isJsonObject(json)) {
@@ -822,13 +822,14 @@ export async function processUserInfoResponse(as, client, expectedSubject, respo
 async function authenticatedRequest(as, client, method, url, body, headers, options) {
     await clientAuthentication(as, client, body, headers, options?.clientPrivateKey);
     headers.set('content-type', 'application/x-www-form-urlencoded;charset=UTF-8');
-    return fetch(url.href, {
+    const request = new Request(url.href, {
         body,
         headers,
         method,
         redirect: 'manual',
         signal: options?.signal ? signal(options.signal) : null,
-    }).then(processDpopNonce);
+    });
+    return fetch(request).then(processDpopNonce);
 }
 async function tokenEndpointRequest(as, client, grantType, parameters, options) {
     if (typeof as.token_endpoint !== 'string') {
@@ -882,8 +883,8 @@ async function processGenericAccessTokenResponse(as, client, response, ignoreIdT
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');
@@ -1167,8 +1168,8 @@ export async function processIntrospectionResponse(as, client, response) {
         try {
             json = await response.json();
         }
-        catch {
-            throw new OPE('failed to parse "response" body as JSON');
+        catch (cause) {
+            throw new OPE('failed to parse "response" body as JSON', { cause });
         }
         if (!isJsonObject(json)) {
             throw new OPE('"response" body must be a top level object');
@@ -1188,12 +1189,13 @@ async function jwksRequest(as, options) {
     const headers = prepareHeaders(options?.headers);
     headers.set('accept', 'application/json');
     headers.append('accept', 'application/jwk-set+json');
-    return fetch(url.href, {
+    const request = new Request(url.href, {
         headers,
         method: 'GET',
         redirect: 'manual',
         signal: options?.signal ? signal(options.signal) : null,
-    }).then(processDpopNonce);
+    });
+    return fetch(request).then(processDpopNonce);
 }
 async function processJwksResponse(response) {
     if (!(response instanceof Response)) {
@@ -1207,8 +1209,8 @@ async function processJwksResponse(response) {
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');
@@ -1274,7 +1276,7 @@ function keyToSubtle(key) {
         case 'ECDSA':
             return {
                 name: key.algorithm.name,
-                hash: { name: ecdsaHashName(key.algorithm.namedCurve) },
+                hash: ecdsaHashName(key.algorithm.namedCurve),
             };
         case 'RSA-PSS': {
             checkRsaKeyAlgorithm(key.algorithm);
@@ -1292,10 +1294,10 @@ function keyToSubtle(key) {
         }
         case 'RSASSA-PKCS1-v1_5':
             checkRsaKeyAlgorithm(key.algorithm);
-            return { name: key.algorithm.name };
+            return key.algorithm.name;
         case 'Ed448':
         case 'Ed25519':
-            return { name: key.algorithm.name };
+            return key.algorithm.name;
     }
     throw new UnsupportedOperationError();
 }
@@ -1312,8 +1314,8 @@ async function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {
     try {
         header = JSON.parse(buf(b64u(protectedHeader)));
     }
-    catch {
-        throw new OPE('failed to parse JWT Header body as base64url encoded JSON');
+    catch (cause) {
+        throw new OPE('failed to parse JWT Header body as base64url encoded JSON', { cause });
     }
     if (!isJsonObject(header)) {
         throw new OPE('JWT Header must be a top level object');
@@ -1335,8 +1337,8 @@ async function validateJwt(jws, checkAlg, getKey, clockSkew, clockTolerance) {
     try {
         claims = JSON.parse(buf(b64u(payload)));
     }
-    catch {
-        throw new OPE('failed to parse JWT Payload body as base64url encoded JSON');
+    catch (cause) {
+        throw new OPE('failed to parse JWT Payload body as base64url encoded JSON', { cause });
     }
     if (!isJsonObject(claims)) {
         throw new OPE('JWT Payload must be a top level object');
@@ -1489,11 +1491,11 @@ function algToSubtle(alg, crv) {
         case 'PS256':
         case 'PS384':
         case 'PS512':
-            return { name: 'RSA-PSS', hash: { name: `SHA-${alg.slice(-3)}` } };
+            return { name: 'RSA-PSS', hash: `SHA-${alg.slice(-3)}` };
         case 'RS256':
         case 'RS384':
         case 'RS512':
-            return { name: 'RSASSA-PKCS1-v1_5', hash: { name: `SHA-${alg.slice(-3)}` } };
+            return { name: 'RSASSA-PKCS1-v1_5', hash: `SHA-${alg.slice(-3)}` };
         case 'ES256':
         case 'ES384':
             return { name: 'ECDSA', namedCurve: `P-${alg.slice(-3)}` };
@@ -1502,9 +1504,8 @@ function algToSubtle(alg, crv) {
         case 'EdDSA': {
             switch (crv) {
                 case 'Ed25519':
-                    return { name: 'Ed25519' };
                 case 'Ed448':
-                    return { name: 'Ed448' };
+                    return crv;
                 default:
                     throw new UnsupportedOperationError();
             }
@@ -1548,8 +1549,8 @@ export async function processDeviceAuthorizationResponse(as, client, response) {
     try {
         json = await response.json();
     }
-    catch {
-        throw new OPE('failed to parse "response" body as JSON');
+    catch (cause) {
+        throw new OPE('failed to parse "response" body as JSON', { cause });
     }
     if (!isJsonObject(json)) {
         throw new OPE('"response" body must be a top level object');

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "oauth4webapi",
-  "version": "2.3.0",
-  "description": "OAuth 2 / OpenID Connect for Web Platform API JavaScript runtimes",
+  "version": "2.4.1",
+  "description": "OAuth 2 / OpenID Connect for JavaScript Runtimes",
   "keywords": [
     "auth",
     "authentication",
@@ -28,6 +28,7 @@
     "openid-connect",
     "openid",
     "vercel",
+    "workerd",
     "workers"
   ],
   "homepage": "https://github.com/panva/oauth4webapi",
@@ -58,26 +59,26 @@
     "tap:edge-runtime": "./tap/.edge-runtime.sh",
     "tap:electron": "./tap/.electron.sh",
     "tap:node": "bash -c './tap/.node.sh'",
-    "tap:workers": "./tap/.workers.sh",
+    "tap:workerd": "./tap/.workerd.sh",
     "test": "bash -c 'source .node_flags.sh && ava'"
   },
   "devDependencies": {
-    "@esbuild-kit/esm-loader": "^2.5.5",
-    "@types/node": "^18.16.1",
-    "@types/qunit": "^2.19.4",
-    "ava": "^5.2.0",
-    "edge-runtime": "^2.1.4",
-    "esbuild": "^0.17.18",
-    "jose": "^4.14.1",
-    "patch-package": "^7.0.0",
-    "prettier": "^2.8.8",
-    "prettier-plugin-jsdoc": "^0.4.2",
-    "qunit": "^2.19.4",
-    "timekeeper": "^2.2.0",
-    "typedoc": "^0.24.6",
-    "typedoc-plugin-markdown": "^3.15.2",
-    "typedoc-plugin-mdn-links": "^3.0.3",
-    "typescript": "^5.0.4",
-    "undici": "^5.22.0"
+    "@types/node": "^20.10.6",
+    "@types/qunit": "^2.19.9",
+    "ava": "^5.3.1",
+    "edge-runtime": "^2.5.7",
+    "esbuild": "^0.19.11",
+    "jose": "^5.2.0",
+    "patch-package": "^8.0.0",
+    "prettier": "^3.1.1",
+    "prettier-plugin-jsdoc": "^1.3.0",
+    "qunit": "^2.20.0",
+    "timekeeper": "^2.3.1",
+    "tsx": "^4.7.0",
+    "typedoc": "^0.25.6",
+    "typedoc-plugin-markdown": "^3.17.1",
+    "typedoc-plugin-mdn-links": "^3.1.10",
+    "typescript": "^5.3.3",
+    "undici": "^5.28.2"
   }
 }