This release fixes issue #916 and ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes:
JwtBuilder builder = Jwts.builder();
builder.audience().add("an-audience"); // no .and() call
builder.compact(); // would not keep 'an-audience'
Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling
.add(value)).
However, standard fluent builder chains are still recommended for readability when feasible, e.g.
These same notes are repeated in the CHANGELOG, and as always, project documentation is in the README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.
0.12.4
This is patch release completes 10 issues, with two especially noteworthy changes, and a number of other smaller bug fixes and enhancements.
The default Jackson deserializer will now reject duplicate JSON members by default in an attempt to be a little more strict at rejecting potentially malicious or malformed JSON. This is a default and can be overridden with a custom ObjectMapper if desired.
Password-based JWE encryption key algorithms (PBES2_HS256_A128KW, PBES2_HS384_A192KW and PBES2_HS512_A256KW) now enforce an upper bound (maximum) number of iterations allowed during decryption to mitigate against potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this!
A number of other issues fixed: thread-safe ServiceLoader usage for dynamic JSON processor lookup, Android enhancements for JSON Reader APIs, fixed Elliptic Curve field element padding, and more. Please read the 0.12.4 CHANGELOG for full details of all of these changes, and as always, project documentation is in the 0.12.4 README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.
Ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer
requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release,
the following code did not apply changes:
JwtBuilder builder = Jwts.builder();
builder.audience().add("an-audience"); // no .and() call
builder.compact(); // would not keep 'an-audience'
Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling
.add(value)).
However, standard fluent builder chains are still recommended for readability when feasible, e.g.
This patch release includes various changes listed below.
Jackson Default Parsing Behavior
This release makes two behavioral changes to JJWT's default Jackson ObjectMapper parsing settings:
In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could
have undesirable effects on an application, JJWT's default ObjectMapper is now configured to explicitly reject/fail
parsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names.
For example, now the following JSON, if parsed, would fail (be rejected) by default:
Technically, the JWT RFCs do allow duplicate named fields as long as the last parsed member is the one used
(see JWS RFC 7515, Section 4), so this is allowed.
However, because JWTs often reflect security concepts, it's usually better to be defensive and reject these
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the dependencies group with 11 updates:
5.8.0
5.11.0
2.16.1
2.17.0
2.16.1
2.17.0
2.16.1
2.17.0
2.16.1
2.17.0
2.16.1
2.17.0
2.16.1
2.17.0
0.12.3
0.12.5
2.0.11
2.0.12
1.4.14
1.5.3
3.12.1
3.13.0
9.0.8
9.1.0
3.1.0
3.2.2
Updates
org.mockito:mockito-core
from 5.8.0 to 5.11.0Release notes
Sourced from org.mockito:mockito-core's releases.
... (truncated)
Commits
ea6ff8c
Add native method to MissingMethodInvocationException (#3283)8431ae2
Bump com.google.googlejavaformat:google-java-format (#3277)a10d43c
Bump versions.bytebuddy from 1.14.11 to 1.14.12 (#3272)699799d
Bump gradle/wrapper-validation-action from 2.1.0 to 2.1.1 (#3268)861ca99
Bump org.shipkit:shipkit-auto-version from 2.0.3 to 2.0.4 (#3267)043c0f0
Bump gradle/wrapper-validation-action from 2.0.1 to 2.1.0 (#3266)fa31e11
Bump gradle/wrapper-validation-action from 2.0.0 to 2.0.1 (#3264)efa8d2a
Bump org.junit.platform:junit-platform-launcher from 1.10.1 to 1.10.2 (#3265)66d18cc
Bump org.assertj:assertj-core from 3.25.2 to 3.25.3 (#3261)e76f14a
Bump versions.junitJupiter from 5.10.1 to 5.10.2 (#3260)Updates
com.fasterxml.jackson.core:jackson-databind
from 2.16.1 to 2.17.0Commits
Updates
com.fasterxml.jackson.core:jackson-annotations
from 2.16.1 to 2.17.0Commits
Updates
com.fasterxml.jackson.core:jackson-core
from 2.16.1 to 2.17.0Commits
8fba680
[maven-release-plugin] prepare release jackson-core-2.17.0486b33f
Prepare for 2.17.0 releasea6a1074
Merge branch '2.16' into 2.17e5b5e34
Back to snapshot deps8938de4
[maven-release-plugin] prepare for next development iteration4162dfc
[maven-release-plugin] prepare release jackson-core-2.16.237ef9b3
Prepare for 2.16.2 releasee2cc65d
Bump the github-actions group with 3 updates (#1236)d29507f
Improve #1149 wrt JsonParser.getNumberTypeFP() default implementation (#1235)1994217
Add explicit override for JSON parsers forJsonParser.getNumberTypeFP()
Updates
com.fasterxml.jackson.datatype:jackson-datatype-jsr310
from 2.16.1 to 2.17.0Updates
com.fasterxml.jackson.core:jackson-core
from 2.16.1 to 2.17.0Commits
8fba680
[maven-release-plugin] prepare release jackson-core-2.17.0486b33f
Prepare for 2.17.0 releasea6a1074
Merge branch '2.16' into 2.17e5b5e34
Back to snapshot deps8938de4
[maven-release-plugin] prepare for next development iteration4162dfc
[maven-release-plugin] prepare release jackson-core-2.16.237ef9b3
Prepare for 2.16.2 releasee2cc65d
Bump the github-actions group with 3 updates (#1236)d29507f
Improve #1149 wrt JsonParser.getNumberTypeFP() default implementation (#1235)1994217
Add explicit override for JSON parsers forJsonParser.getNumberTypeFP()
Updates
com.fasterxml.jackson.datatype:jackson-datatype-jsr310
from 2.16.1 to 2.17.0Updates
io.jsonwebtoken:jjwt
from 0.12.3 to 0.12.5Release notes
Sourced from io.jsonwebtoken:jjwt's releases.
Changelog
Sourced from io.jsonwebtoken:jjwt's changelog.
... (truncated)
Commits
2399e2f
[maven-release-plugin] prepare release 0.12.58d3de65
Preparing for 0.12.5 releasea0a123e
PR #917afcd889
0.12.4 staging (#913)dd10b12
Added JWK Set documentation to README.mdJwkset doc (#912)6335381
PBES2 decryption maximum iterations (#911)2884eb7
- Updating to GitHub latest actions/checkout and actions/setup-java script ve...628bd6f
Secret JWKk
values larger than HMAC-SHA minimums (#909)b12dabf
Fix small typos (#908)26f5dc3
Updating changelog with more information/clarity for the 0.12.4 release (#907)Updates
org.slf4j:slf4j-api
from 2.0.11 to 2.0.12Updates
ch.qos.logback:logback-classic
from 1.4.14 to 1.5.3Commits
f2d8a1a
prepare release 1.5.399ccca7
fix /issues/785df7c7c5
prepare work on 1.5.3-SNAPSHOTbaf5d70
prepare release 1.5.26998e81
add NoAutoStartUtil.shouldBeStarted method40bc1c2
export tyler related packages0094ba3
start work on 1.5.2-SNAPSHOT88fd31c
prepare release 1.5.1231e9bd
more internal changes and refactorings8f3a304
more fine tuning of propertyModelHandler and coUpdates
org.apache.maven.plugins:maven-compiler-plugin
from 3.12.1 to 3.13.0Release notes
Sourced from org.apache.maven.plugins:maven-compiler-plugin's releases.
Commits
a1415aa
[maven-release-plugin] prepare release maven-compiler-plugin-3.13.0b2b9196
[MCOMPILER-574] Propagate cause of exception in AbstractCompilerMojo6d2ce5a
[MCOMPILER-584] Refresh page - Using Non-Javac Compilerseebad60
[MCOMPILER-585] Refresh plugins versions in ITsceacf68
[MCOMPILER-582] Automatic detection of release option for JDK < 9110293f
[MCOMPILER-583] Require Maven 3.6.390131df
[MCOMPILER-575] Bump plexusCompilerVersion from 2.14.2 to 2.15.0 (#227)74cfc72
[MCOMPILER-548] JDK 21 throws annotations processing warning that can not be ...f85aa27
Bump apache/maven-gh-actions-shared from 3 to 4d59ef49
extract Maven 3.3.1 specific method callUpdates
org.owasp:dependency-check-maven
from 9.0.8 to 9.1.0Release notes
Sourced from org.owasp:dependency-check-maven's releases.
Changelog
Sourced from org.owasp:dependency-check-maven's changelog.
Commits
e0b9397
build: prepare release v9.1.03f1b558
docs: prepare release 9.1.0c364269
build(deps): bump jackson.version from 2.16.0 to 2.16.1 (#6353)d2c04b5
build(deps): bump org.jsoup:jsoup from 1.16.2 to 1.17.2 (#6362)e8c4ca3
build(deps): bump open-vulnerability-client (#6554)2e6a231
build(deps): bump golang from 1.21.5-alpine to 1.22.1-alpine (#6506)0e183da
build(deps): bump actions/setup-java from 3 to 4 (#6172)42adde4
fix: typo (#6526)f60c867
feat: Add v2 support for maven_install.json (#6528)a6a8f21
Merge pull request #1 from nutshelllabs/ef/add-maven-install-v2-supportUpdates
org.apache.maven.plugins:maven-gpg-plugin
from 3.1.0 to 3.2.2Release notes
Sourced from org.apache.maven.plugins:maven-gpg-plugin's releases.
... (truncated)
Commits
ab97064
[maven-release-plugin] prepare release maven-gpg-plugin-3.2.22be0a00
[MGPG-115] Show more info about key used to sign (#84)3631830
[MGPG-114] Allow max key size of 16KB (#83)528fab9
[MGPG-113] SignAndDeployFileMojo results in 401 (#82)770636b
[maven-release-plugin] prepare for next development iteration5b69086
[maven-release-plugin] prepare release maven-gpg-plugin-3.2.128d298c
[MGPG-111] Fix dependencies (#81)75d8ed5
[MGPG-112] serverId def value was unintentionally dropped (#80)2a11a2d
[maven-release-plugin] prepare for next development iteration4b23da8
[maven-release-plugin] prepare release maven-gpg-plugin-3.2.0Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show