This release fixes issue #916 and ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release, the following code did not apply changes:
JwtBuilder builder = Jwts.builder();
builder.audience().add("an-audience"); // no .and() call
builder.compact(); // would not keep 'an-audience'
Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling
.add(value)).
However, standard fluent builder chains are still recommended for readability when feasible, e.g.
These same notes are repeated in the CHANGELOG, and as always, project documentation is in the README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.
0.12.4
This is patch release completes 10 issues, with two especially noteworthy changes, and a number of other smaller bug fixes and enhancements.
The default Jackson deserializer will now reject duplicate JSON members by default in an attempt to be a little more strict at rejecting potentially malicious or malformed JSON. This is a default and can be overridden with a custom ObjectMapper if desired.
Password-based JWE encryption key algorithms (PBES2_HS256_A128KW, PBES2_HS384_A192KW and PBES2_HS512_A256KW) now enforce an upper bound (maximum) number of iterations allowed during decryption to mitigate against potential DoS attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their work on this!
A number of other issues fixed: thread-safe ServiceLoader usage for dynamic JSON processor lookup, Android enhancements for JSON Reader APIs, fixed Elliptic Curve field element padding, and more. Please read the 0.12.4 CHANGELOG for full details of all of these changes, and as always, project documentation is in the 0.12.4 README.
Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.
Ensures that builders' NestedCollection changes are applied to the collection immediately as mutation methods are called, no longer
requiring application developers to call .and() to 'commit' or apply a change. For example, prior to this release,
the following code did not apply changes:
JwtBuilder builder = Jwts.builder();
builder.audience().add("an-audience"); // no .and() call
builder.compact(); // would not keep 'an-audience'
Now this code works as expected and all other NestedCollection instances like it apply changes immediately (e.g. when calling
.add(value)).
However, standard fluent builder chains are still recommended for readability when feasible, e.g.
This patch release includes various changes listed below.
Jackson Default Parsing Behavior
This release makes two behavioral changes to JJWT's default Jackson ObjectMapper parsing settings:
In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could
have undesirable effects on an application, JJWT's default ObjectMapper is now configured to explicitly reject/fail
parsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names.
For example, now the following JSON, if parsed, would fail (be rejected) by default:
Technically, the JWT RFCs do allow duplicate named fields as long as the last parsed member is the one used
(see JWS RFC 7515, Section 4), so this is allowed.
However, because JWTs often reflect security concepts, it's usually better to be defensive and reject these
JaCoCo now officially supports Java 22 (GitHub #1596).
Experimental support for Java 23 class files (GitHub #1553).
Fixed bugs
Branches added by the Kotlin compiler for functions with default arguments and having more than 32 parameters are filtered out during generation of report (GitHub #1556).
Branch added by the Kotlin compiler version 1.5.0 and above for reading from lateinit property is filtered out during generation of report (GitHub #1568).
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the dependencies group with 14 updates in the / directory:
5.8.0
5.12.0
2.16.1
2.17.1
2.16.1
2.17.1
2.16.1
2.17.1
2.16.1
2.17.1
1.7.2
1.8.0
0.12.3
0.12.5
2.0.11
2.0.13
1.4.14
1.5.6
3.12.1
3.13.0
9.0.8
9.2.0
0.8.11
0.8.12
3.3.0
3.3.1
3.1.0
3.2.4
Updates
org.mockito:mockito-core
from 5.8.0 to 5.12.0Release notes
Sourced from org.mockito:mockito-core's releases.
... (truncated)
Commits
12cef84
AdditionalMatchers.and() and or() swap matcher order (#3335)f3821ff
Bump com.gradle.enterprise from 3.17.2 to 3.17.3 (#3341)25ad018
Bump org.jetbrains.kotlin:kotlin-stdlib from 1.9.23 to 1.9.24 (#3339)de38124
Bump versions.bytebuddy from 1.14.14 to 1.14.15 (#3338)88e8481
Bump org.jetbrains.kotlin:kotlin-gradle-plugin from 1.9.23 to 1.9.24 (#3336)8c222c2
Bump org.shipkit:shipkit-auto-version from 2.0.6 to 2.0.7 (#3337)fb9ff6d
Bump gradle/wrapper-validation-action from 3.3.1 to 3.3.2 (#3327)af70125
Bump versions.bytebuddy from 1.14.13 to 1.14.14 (#3324)1eac76b
Bump org.shipkit:shipkit-auto-version from 2.0.5 to 2.0.6 (#3322)cd512ab
Bump gradle/wrapper-validation-action from 3.3.0 to 3.3.1 (#3320)Updates
com.fasterxml.jackson.core:jackson-databind
from 2.16.1 to 2.17.1Commits
Updates
com.fasterxml.jackson.core:jackson-annotations
from 2.16.1 to 2.17.1Commits
Updates
com.fasterxml.jackson.core:jackson-core
from 2.16.1 to 2.17.1Commits
cba40f1
[maven-release-plugin] prepare release jackson-core-2.17.1d33c4b5
Prepare for 2.17.1 release2a4a6dc
Fix #1256: revert #1117, default recycler pool againthreadLocalPool()
(for...7e57e5b
Update branch designation for CI4b8d399
Part of #1260: write a manually run concurrency test to tease out problem wit...33c4260
Fixes #1262: Add diagnostic method pooledCount() in RecyclerPool (#1263)c73bde2
FixNumberInput.looksLikeValidNumber()
implementation (#1241)1c656ae
...11e3bd7
update(tests): migrate remaining JUnit 4 code in core to JUnit 5 (#1248)fff79ea
update(tests): migrate JUnit 4 code to JUnit 5 in core.base64 to core.sym (#1...Updates
com.fasterxml.jackson.datatype:jackson-datatype-jsr310
from 2.16.1 to 2.17.1Updates
com.fasterxml.jackson.core:jackson-core
from 2.16.1 to 2.17.1Commits
cba40f1
[maven-release-plugin] prepare release jackson-core-2.17.1d33c4b5
Prepare for 2.17.1 release2a4a6dc
Fix #1256: revert #1117, default recycler pool againthreadLocalPool()
(for...7e57e5b
Update branch designation for CI4b8d399
Part of #1260: write a manually run concurrency test to tease out problem wit...33c4260
Fixes #1262: Add diagnostic method pooledCount() in RecyclerPool (#1263)c73bde2
FixNumberInput.looksLikeValidNumber()
implementation (#1241)1c656ae
...11e3bd7
update(tests): migrate remaining JUnit 4 code in core to JUnit 5 (#1248)fff79ea
update(tests): migrate JUnit 4 code to JUnit 5 in core.base64 to core.sym (#1...Updates
com.fasterxml.jackson.datatype:jackson-datatype-jsr310
from 2.16.1 to 2.17.1Updates
org.threeten:threeten-extra
from 1.7.2 to 1.8.0Release notes
Sourced from org.threeten:threeten-extra's releases.
Commits
583ef31
[maven-release-plugin] prepare release v1.8.0eebb5cb
Prepare for release8dbbfab
Update dependency versions and pom.xml9d82587
Update docs for released989a4a
AddHourMinute
(#322)f665c2f
test_equals_and_hashCode (#316)1860c5e
Fix half year method names (#315)4525d74
Bump com.google.guava:guava from 32.1.2-jre to 32.1.3-jre (#310)111501c
Bump org.junit:junit-bom from 5.9.1 to 5.10.1 (#305)54e3d4f
Half years (#303)Updates
io.jsonwebtoken:jjwt
from 0.12.3 to 0.12.5Release notes
Sourced from io.jsonwebtoken:jjwt's releases.
Changelog
Sourced from io.jsonwebtoken:jjwt's changelog.
... (truncated)
Commits
2399e2f
[maven-release-plugin] prepare release 0.12.58d3de65
Preparing for 0.12.5 releasea0a123e
PR #917afcd889
0.12.4 staging (#913)dd10b12
Added JWK Set documentation to README.mdJwkset doc (#912)6335381
PBES2 decryption maximum iterations (#911)2884eb7
- Updating to GitHub latest actions/checkout and actions/setup-java script ve...628bd6f
Secret JWKk
values larger than HMAC-SHA minimums (#909)b12dabf
Fix small typos (#908)26f5dc3
Updating changelog with more information/clarity for the 0.12.4 release (#907)Updates
org.slf4j:slf4j-api
from 2.0.11 to 2.0.13Updates
ch.qos.logback:logback-classic
from 1.4.14 to 1.5.6Commits
7812a55
prepare release 1.5.6759fc25
fix issues/805 i.e. LOGBACK-1768, included file with inner conditional3d55638
start work on 1.5.6-SNAPSHOTa91d2b6
notes about javadocsc7c5e89
prepare release 1.5.57db8797
upgrade build to slf4j 2.0.13f9c04d2
test inclusion with conditionalsf32ed30
remove support for metaannotations for NoAutoStart annotation4476edd
Search for@NoAutoStart
annotations in ancestor hierarchy, implemented interf...a649c60
rename IncludeActionTest as IncludeModelHandlerTestUpdates
org.apache.maven.plugins:maven-compiler-plugin
from 3.12.1 to 3.13.0Release notes
Sourced from org.apache.maven.plugins:maven-compiler-plugin's releases.
Commits
a1415aa
[maven-release-plugin] prepare release maven-compiler-plugin-3.13.0b2b9196
[MCOMPILER-574] Propagate cause of exception in AbstractCompilerMojo6d2ce5a
[MCOMPILER-584] Refresh page - Using Non-Javac Compilerseebad60
[MCOMPILER-585] Refresh plugins versions in ITsceacf68
[MCOMPILER-582] Automatic detection of release option for JDK < 9110293f
[MCOMPILER-583] Require Maven 3.6.390131df
[MCOMPILER-575] Bump plexusCompilerVersion from 2.14.2 to 2.15.0 (#227)74cfc72
[MCOMPILER-548] JDK 21 throws annotations processing warning that can not be ...f85aa27
Bump apache/maven-gh-actions-shared from 3 to 4d59ef49
extract Maven 3.3.1 specific method callUpdates
org.owasp:dependency-check-maven
from 9.0.8 to 9.2.0Release notes
Sourced from org.owasp:dependency-check-maven's releases.
Changelog
Sourced from org.owasp:dependency-check-maven's changelog.
Commits
192b4cd
build: prepare release v9.2.0e50e20d
docs: update changelog5ce66cf
build(deps): bump org.apache.maven.plugin-tools:maven-plugin-annotations from...61edfd1
docs: update logo per intellj (#6660)8b1746e
build(deps): bump com.github.spotbugs:spotbugs-annotations from 4.8.4 to 4.8....754dec1
build(deps): bump maven-plugin-plugin (#6646)969bc27
build(deps): bump org.apache.maven.plugins:maven-surefire-report-plugin from ...57b916a
build(deps): bump com.github.spotbugs:spotbugs-maven-plugin from 4.8.4.0 to 4...9c9c466
build(deps): bump commons-codec:commons-codec from 1.16.1 to 1.17.0 (#6633)e26096d
build(deps): bump commons-cli:commons-cli from 1.6.0 to 1.7.0 (#6629)Updates
org.jacoco:jacoco-maven-plugin
from 0.8.11 to 0.8.12Release notes
Sourced from org.jacoco:jacoco-maven-plugin's releases.
Commits
dbfb6f2
Prepare release 0.8.12a50585b
Upgrade maven-plugin-plugin to 3.6.4 (#1604)fd63cc5
Configure labels that Dependabot assigns to PRs (#1603)03a5333
Add configuration for Dependabot to simplify updates of ASM (#1601)40ff9fb
Upgrade ASM to 9.7 (#1600)9077178
Happy birthday Java 22! (#1596)7edd1b5
Bump actions/setup-java from 4.1.0 to 4.2.1 (#1594)e50b547
Upgrade ECJ to 3.37.0 (#1590)a1144d0
Upgrade maven-site-plugin to 3.12.1 (#1586)04b0141
Bump actions/setup-java from 4.0.0 to 4.1.0 (#1587)Updates
org.apache.maven.plugins:maven-source-plugin
from 3.3.0 to 3.3.1Commits
f80596e
[maven-release-plugin] prepare release maven-source-plugin-3.3.17626998
Bump apache/maven-gh-actions-shared from 3 to 483c963c
Bump org.apache.maven.plugins:maven-plugins from 39 to 41 (#18)40ae495
Bump org.codehaus.plexus:plexus-archiver from 4.8.0 to 4.9.1 (#20)073462b
Bump org.apache.maven:maven-archiver from 3.6.0 to 3.6.1 (#21)0b1c823
Fix typos in AbstractSourceJarMojo exception099c65a
[MSOURCES-142] Bump org.codehaus.plexus:plexus-archiver from 4.7.1 to 4.8.0 (...1edeea4
[MSOURCES-139] Fix typo in AbstractSourceJarMojo exception436966e
[maven-release-plugin] prepare for next development iterationUpdates
org.apache.maven.plugins:maven-gpg-plugin
from 3.1.0 to 3.2.4Release notes
Sourced from org.apache.maven.plugins:maven-gpg-plugin's releases.
... (truncated)
Commits
789149e
[maven-release-plugin] prepare release maven-gpg-plugin-3.2.4893aedc
[MGPG-125] Fix "bestPractices" (#95)b6f0324
[MGPG-126] Bump commons-io:commons-io from 2.16.0 to 2.16.1 (#94)3c5878b
[maven-release-plugin] prepare for next development iteration89b91a4
[maven-release-plugin] prepare release maven-gpg-plugin-3.2.3fc2efa3
[MGPG-123][MGPG-124] Dependency upgrades (#93)50222d3
[MGPG-120] New mojo sign-deployed (#88)a6c3a09
[MGPG-122] Bump org.apache.maven.plugins:maven-invoker-plugin from 3.6.0 to 3...78f5e37
[MGPG-121] Return the workaround for pseudo security (#90)582df74
[MGPG-117] Improve passphrase handling (#86)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show