Closed renovate[bot] closed 10 months ago
Not dealing with this update for now, will be done with the rest module updates.
Because you closed this PR without merging, Renovate will ignore this update (0.12.3
). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps
array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
0.11.5
->0.12.3
0.11.5
->0.12.3
0.11.5
->0.12.3
Release Notes
jwtk/jjwt (io.jsonwebtoken:jjwt-gson)
### [`v0.12.3`](https://togithub.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0123) [Compare Source](https://togithub.com/jwtk/jjwt/compare/0.12.2...0.12.3) This patch release: - Upgrades the `org.json` dependency to `20231013` to address that library's [CVE-2023-5072](https://nvd.nist.gov/vuln/detail/CVE-2023-5072) vulnerability. - (Re-)enables empty values for custom claims, which was the behavior in <= 0.11.5. [Issue 858](https://togithub.com/jwtk/jjwt/issues/858). ### [`v0.12.2`](https://togithub.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0122) [Compare Source](https://togithub.com/jwtk/jjwt/compare/0.12.1...0.12.2) This is a follow-up release to finalize the work in 0.12.1 that tried to fix a reflection scope problem on >= JDK 17. The 0.12.1 fix worked, but only if the importing project or application did *not* have its own `module-info.java` file. This release removes that reflection code entirely in favor of a JJWT-native implementation, eliminating JPMS module (scope) problems on >= JDK 17. As such, `--add-opens` flags are no longer required to use JJWT. The fix has been tested up through JDK 21 in a separate application environment (out of JJWT's codebase) to assert expected functionality in a 'clean room' environment in a project both with and without `module-info.java` usage. ### [`v0.12.1`](https://togithub.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0121) [Compare Source](https://togithub.com/jwtk/jjwt/compare/0.12.0...0.12.1) Enabled reflective access on JDK 17+ to `java.io.ByteArrayInputStream` and `sun.security.util.KeyUtil` for `jjwt-impl.jar` ### [`v0.12.0`](https://togithub.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0120) [Compare Source](https://togithub.com/jwtk/jjwt/compare/0.11.5...0.12.0) This is a big release! JJWT now fully supports Encrypted JSON Web Tokens (JWE), JSON Web Keys (JWK) and more! See the sections below enumerating all new features as well as important notes on breaking changes or backwards-incompatible changes made in preparation for the upcoming 1.0 release. **Because breaking changes are being introduced, it is strongly recommended to wait until the upcoming 1.0 release where you can address breaking changes one time only**. Those that need immediate JWE encryption and JWK key support however will likely want to upgrade now and deal with the smaller subset of breaking changes in the 1.0 release. ##### Simplified Starter Jar Those upgrading to new modular JJWT versions from old single-jar versions will transparently obtain everything they need in their Maven, Gradle or Android projects. JJWT's early releases had one and only one .jar: `jjwt.jar`. Later releases moved to a modular design with 'api' and 'impl' jars including 'plugin' jars for Jackson, GSON, org.json, etc. Some users upgrading from the earlier single jar to JJWT's later versions have been frustrated by being forced to learn how to configure the more modular .jars. This release re-introduces the `jjwt.jar` artifact again, but this time it is simply an empty .jar with Maven metadata that will automatically transitively download the following into a project, retaining the old single-jar behavior: - `jjwt-api.jar` - `jjwt-impl.jar` - `jjwt-jackson.jar` Naturally, developers are still encouraged to configure the modular .jars as described in JJWT's documentation for greater control and to enable their preferred JSON parser, but this stop-gap should help those unaware when upgrading. ##### JSON Web Encryption (JWE) Support! This has been a long-awaited feature for JJWT, years in the making, and it is quite extensive - so many encryption algorithms and key management algorithms are defined by the JWA specification, and new API concepts had to be introduced for all of them, as well as extensive testing with RFC-defined test vectors. The wait is over!\ All JWA-defined encryption algorithms and key management algorithms are fully implemented and supported and available immediately. For example: ```java AeadAlgorithm enc = Jwts.ENC.A256GCM; SecretKey key = enc.key().build(); String compact = Jwts.builder().setSubject("Joe").encryptWith(key, enc).compact(); JweConfiguration
π Schedule: Branch creation - "before 6:00am" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.