Jose Laravel Package

Product Decisions This Supports

• Supports legacy systems requiring standards-compliant JWT/JWS/JWE handling where migration is not feasible (e.g., existing codebases already using namshi/jose).
• Avoids "reinventing the wheel" for cryptographic token operations in non-Laravel PHP projects, though Laravel-specific projects should prioritize ecosystem-compatible alternatives.
• For new projects, this package represents a high-risk buy due to unmaintained status—build vs. buy analysis strongly favors actively maintained libraries like firebase/php-jwt or web-token/jwt-library.

When to Consider This Package

• Only for maintaining existing systems where namshi/jose is already deeply integrated and migration cost outweighs risks.
• If specific legacy algorithm requirements (e.g., obsolete RSA variants) are needed and alternatives don’t support them (unlikely—modern libraries cover all common standards).
• Avoid for: New Laravel projects (conflicts with Sanctum/Passport’s lcobucci/jwt dependency), PHP 8+ environments (requires manual patching), or any security-sensitive use case (no recent updates for CVEs).

How to Pitch It (Stakeholders)

"Namshi/Jose is a historically solid JOSE library but has been unmaintained since 2018—posing critical security and compatibility risks for new projects. While we’ll support it for legacy systems already using it, we strongly recommend against adopting it for any new work. For Laravel projects, use Sanctum/Passport’s built-in JWT tools or switch to actively maintained alternatives like firebase/php-jwt for better security, PHP 8+ support, and seamless ecosystem integration. This avoids technical debt and ensures compliance with modern security practices."