Skip to content

build(deps): bump io.jsonwebtoken:jjwt-impl from 0.11.2 to 0.13.0 #353

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

build(deps): bump io.jsonwebtoken:jjwt-impl from 0.11.2 to 0.13.0 #353

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Aug 21, 2025

Bumps io.jsonwebtoken:jjwt-impl from 0.11.2 to 0.13.0.

Release notes

Sourced from io.jsonwebtoken:jjwt-impl's releases.

0.13.0

This is the last minor JJWT release branch that will support Java 7.

Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

What's Changed

This release contains a single change:

  • The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. Thank you to @​kesrishubham2510 for PR #972. See Issue 914.

Full Changelog: jwtk/jjwt@0.12.7...0.13.0

0.12.7

This patch release:

  • Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

  • Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

    • Emptying the zip() nested collection disables JWT decompression.
    • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
    • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

    See Issue 996.

  • Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

  • Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

  • Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

    Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

    NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

    See Issue 988.

  • Upgrades the Gson dependency to 2.11.0

  • Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

0.12.6

This patch release:

  • Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is used to construct a Jws instance (instead of JJWT's default decoder). See jwtk/jjwt#947.

... (truncated)

Changelog

Sourced from io.jsonwebtoken:jjwt-impl's changelog.

0.13.0

This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

This 0.13.0 minor release has only one change:

  • The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. See Issue 914.

0.12.7

This patch release:

  • Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

  • Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

    • Emptying the zip() nested collection disables JWT decompression.
    • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
    • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

    See Issue 996.

  • Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

  • Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

  • Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

    Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

    NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

    See Issue 988.

  • Upgrades the Gson dependency to 2.11.0

  • Upgrades the BouncyCastle dependency to 1.78.1

0.12.6

This patch release:

  • Ensures that after successful JWS signature verification, an application-configured Base64Url Decoder output is used to construct a Jws instance (instead of JJWT's default decoder). See Issue 947.
  • Fixes a decompression memory leak in concurrent/multi-threaded environments introduced in 0.12.0 when decompressing JWTs with a zip header of GZIP. See Issue 949.
  • Upgrades BouncyCastle to 1.78 via PR 941.
  • Ensures that a JwkSet's keys list member is no longer considered secret and is not redacted by default. However, each individual JWK element within the keys list may still have redacted private or secret members as expected. See Issue 976.

0.12.5

This patch release:

  • Ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
build(deps): bump io.jsonwebtoken:jjwt-impl from 0.11.2 to 0.13.0
dcbd825 
Bumps [io.jsonwebtoken:jjwt-impl](https://github.com/jwtk/jjwt) from 0.11.2 to 0.13.0.
- [Release notes](https://github.com/jwtk/jjwt/releases)
- [Changelog](https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md)
- [Commits](jwtk/jjwt@0.11.2...0.13.0)

---
updated-dependencies:
- dependency-name: io.jsonwebtoken:jjwt-impl
  dependency-version: 0.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels Aug 21, 2025
@dependabot dependabot bot mentioned this pull request Aug 21, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file java Pull requests that update java code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants