Bump the jwt group with 3 updates #1581

dependabot · 2025-08-15T00:35:28Z

Bumps the jwt group with 3 updates: io.jsonwebtoken:jjwt-api, io.jsonwebtoken:jjwt-impl and io.jsonwebtoken:jjwt-jackson.

Updates io.jsonwebtoken:jjwt-api from 0.12.6 to 0.12.7

Release notes

Sourced from io.jsonwebtoken:jjwt-api's releases.

0.12.7

This patch release:

Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

Emptying the zip() nested collection disables JWT decompression.

Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).

Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

See Issue 996.

Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

See Issue 988.

Upgrades the Gson dependency to 2.11.0

Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

@sigpwned made their first contribution in jwtk/jjwt#968

@TheMrMilchmann made their first contribution in jwtk/jjwt#979

@atanasg made their first contribution in jwtk/jjwt#974

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

Changelog

Sourced from io.jsonwebtoken:jjwt-api's changelog.

0.12.7

This patch release:

Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

Emptying the zip() nested collection disables JWT decompression.

Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).

Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

See Issue 996.

Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

See Issue 988.

Upgrades the Gson dependency to 2.11.0

Upgrades the BouncyCastle dependency to 1.78.1

Commits

77aeda0 [maven-release-plugin] prepare release 0.12.7
47d966f Testing latest sonatype central publishing guidelines
22ca29f [maven-release-plugin] rollback the release of 0.12.7
0487f9b [maven-release-plugin] prepare for next development iteration
4329125 [maven-release-plugin] prepare release 0.12.7
0ddc514 - Ensured JJWT_RELEASE_VERSION placeholders reference 0.12.7
efed1cf Updated 0.12.7 change list
ca27b12 Resolves #1010 (#1011)
55c7b9a Resolves #771 (#1009)
6e9c6a5 Bump org.bouncycastle:bcpkix-jdk18on from 1.78 to 1.78.1 (#1008)
Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-impl from 0.12.6 to 0.12.7

Release notes

Sourced from io.jsonwebtoken:jjwt-impl's releases.

0.12.7

This patch release:

Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

Emptying the zip() nested collection disables JWT decompression.

Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).

Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

See Issue 996.

Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

See Issue 988.

Upgrades the Gson dependency to 2.11.0

Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

@sigpwned made their first contribution in jwtk/jjwt#968

@TheMrMilchmann made their first contribution in jwtk/jjwt#979

@atanasg made their first contribution in jwtk/jjwt#974

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

Changelog

Sourced from io.jsonwebtoken:jjwt-impl's changelog.

0.12.7

This patch release:

Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

Emptying the zip() nested collection disables JWT decompression.

Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).

Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

See Issue 996.

Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

See Issue 988.

Upgrades the Gson dependency to 2.11.0

Upgrades the BouncyCastle dependency to 1.78.1

Commits

77aeda0 [maven-release-plugin] prepare release 0.12.7
47d966f Testing latest sonatype central publishing guidelines
22ca29f [maven-release-plugin] rollback the release of 0.12.7
0487f9b [maven-release-plugin] prepare for next development iteration
4329125 [maven-release-plugin] prepare release 0.12.7
0ddc514 - Ensured JJWT_RELEASE_VERSION placeholders reference 0.12.7
efed1cf Updated 0.12.7 change list
ca27b12 Resolves #1010 (#1011)
55c7b9a Resolves #771 (#1009)
6e9c6a5 Bump org.bouncycastle:bcpkix-jdk18on from 1.78 to 1.78.1 (#1008)
Additional commits viewable in compare view

Updates io.jsonwebtoken:jjwt-jackson from 0.12.6 to 0.12.7

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the jwt group with 3 updates: [io.jsonwebtoken:jjwt-api](https://github.com/jwtk/jjwt), [io.jsonwebtoken:jjwt-impl](https://github.com/jwtk/jjwt) and io.jsonwebtoken:jjwt-jackson. Updates `io.jsonwebtoken:jjwt-api` from 0.12.6 to 0.12.7 - [Release notes](https://github.com/jwtk/jjwt/releases) - [Changelog](https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md) - [Commits](jwtk/jjwt@0.12.6...0.12.7) Updates `io.jsonwebtoken:jjwt-impl` from 0.12.6 to 0.12.7 - [Release notes](https://github.com/jwtk/jjwt/releases) - [Changelog](https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md) - [Commits](jwtk/jjwt@0.12.6...0.12.7) Updates `io.jsonwebtoken:jjwt-jackson` from 0.12.6 to 0.12.7 --- updated-dependencies: - dependency-name: io.jsonwebtoken:jjwt-api dependency-version: 0.12.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: jwt - dependency-name: io.jsonwebtoken:jjwt-impl dependency-version: 0.12.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: jwt - dependency-name: io.jsonwebtoken:jjwt-jackson dependency-version: 0.12.7 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: jwt ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file java Pull requests that update Java code labels Aug 15, 2025

karianna approved these changes Aug 17, 2025

View reviewed changes

karianna merged commit 86b8781 into main Aug 17, 2025
7 checks passed

dependabot bot deleted the dependabot/maven/jwt-e938afcb0a branch August 17, 2025 23:09

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Bump the jwt group with 3 updates #1581

Bump the jwt group with 3 updates #1581

Uh oh!

dependabot bot commented on behalf of github Aug 15, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Bump the jwt group with 3 updates #1581

Bump the jwt group with 3 updates #1581

Uh oh!

Conversation

dependabot bot commented on behalf of github Aug 15, 2025

0.12.7

New Contributors

0.12.7

0.12.7

New Contributors

0.12.7

Uh oh!

Uh oh!

Uh oh!