I know this PR is months old now and has been approved and merged and published, but I just ran into a code breakage while upgrading @types/jsonwebtoken from 8.5.1->8.5.5 which should be compatible.

Given that: JwtHeader requires alg to be defined

and that: SignOptions specifies an algorithm?: Algorithm | undefined;

and that: jsonwebtoken's implementation of generating the header is:

  var header = Object.assign({
    alg: options.algorithm || 'HS256',
    typ: isObjectPayload ? 'JWT' : undefined,
    kid: options.keyid
  }, options.header);

This leads to the SignOptions.algorithm being completely ignored in 100% of usage.

Separately, the Types have been broken in the interface for SignOptions.

Example code that used to work in 8.5.1 that broke in 8.5.2:

JWT.sign(payload, privateKey, {
    algorithm: 'RS256',
    header: {
      kid,
    },
  });

^ the above now fails type checking as alg is not defined in the header.

The fix is pretty easy, move algorithm into header.alg, but more so I just wanted to point out that these changes were not semantic version compatible and now SignOptions.algorithm is completely ignored (due to the forcing of defining alg in the header).

I'm happy to put up a PR if you want but I don't have strong opinions about what the right solution is,
eg: removing SignOptions.algorithm or using Partial<JwtHeader> in the SignOptions and correcting the jsonwebtoken package.

The alg is a required attribute according to the rfc

Parameter MUST be present and MUST be understood and processed by
implementations

If the changes were not versioned according to semantic versioning, then it must have been a mistake, not intentional.

I'm confused, is this SignOptions is in auth0/node-jsonwebtoken because that would be an implementation and surely this issue is on their side? I could be wrong, I would imagine the auth0 guys would know their stuff.

For now I would assume that SignOptions needs to be updated.

Yea, it's how they implemented it.

I think there are a couple ambiguity problems-

1. jsonwebtoken providing undocumented/unclear behavior when specifying algorithm (their README/Docs don't explain how it handles conflicts - eg if SignOptions.algorithm = 'RS256' but SignOptions.header.alg = 'HS256') (seemingly accidentally)
2. @types/jsonwebtoken introducing a change that breaks existing implementations (see my case where SignOptions.algorithm is defined but JwtHeader.alg is not) since changing from object to JwtHeader in the SignOptions.header type, but only appears as a patch version8.5.1->8.5.2 (also seemingly accidentally)

My personal opinion is that there should only be 1 place to specify Algorithm. If I had my way, I'd agree with you to remove algorithm from SignOptions, fix the jsonwebtoken implementation linked above, and keep it in JwtHeader since it seems that is the least ambiguous path forward. That's a big change that affects both of these projects though, so I didn't put up a PR since that's just my opinion.

For clarity: I perceived that both of these were just accidents, hopefully my tone didn't come off as negative or accusatory :)

Just got bitten by this. We had a package-lock file in place which was pulling in 8.5.1, so we didn't notice it until today when we finally updated the lock file. Thanks for this comment trail. It helped us understand the issue and implement a temporary fix.

Perhaps an optional type argument could be considered too?

or extends rather than =
but anyhow that would violate https://github.com/Microsoft/dtslint/blob/master/docs/no-unnecessary-generics.md :(

A type argument has come up before and shouldn't be added because of the following reason in the link you posted:

getMeAT<T>(): T:
If a type parameter does not appear in the types of any parameters, you don't really have a generic function, you just have a disguised type assertion.
Prefer to use a real type assertion, e.g. getMeAT() as number.
Example where a type parameter is acceptable: function id<T>(value: T): T;.
Example where it is not acceptable: function parseJson<T>(json: string): T;.
Exception: new Map<string, number>() is OK.

This is because otherwise you'll write code that assumes that all the tokens passed in are well formed which is bad since the tokens are usually passed from other systems or third parties...