Skip to content

chore(deps): bump jjwt.version from 0.12.6 to 0.13.0 in /backend#18

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/backend/jjwt.version-0.13.0
Open

chore(deps): bump jjwt.version from 0.12.6 to 0.13.0 in /backend#18
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/maven/backend/jjwt.version-0.13.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 16, 2026
edited
Loading

Copy link
Copy Markdown

Bumps jjwt.version from 0.12.6 to 0.13.0.
Updates io.jsonwebtoken:jjwt-api from 0.12.6 to 0.13.0

Release notes

Sourced from io.jsonwebtoken:jjwt-api's releases.

0.13.0

This is the last minor JJWT release branch that will support Java 7.

Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

What's Changed

This release contains a single change:

  • The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. Thank you to @​kesrishubham2510 for PR #972. See Issue 914.

Full Changelog: jwtk/jjwt@0.12.7...0.13.0

0.12.7

This patch release:

  • Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

  • Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

    • Emptying the zip() nested collection disables JWT decompression.
    • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
    • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

    See Issue 996.

  • Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

  • Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

  • Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

    Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

    NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

    See Issue 988.

  • Upgrades the Gson dependency to 2.11.0

  • Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

Changelog

Sourced from io.jsonwebtoken:jjwt-api's changelog.

0.13.0

This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

This 0.13.0 minor release has only one change:

  • The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. See Issue 914.

0.12.7

This patch release:

  • Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

  • Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

    • Emptying the zip() nested collection disables JWT decompression.
    • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
    • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

    See Issue 996.

  • Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

  • Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

  • Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

    Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

    NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

    See Issue 988.

  • Upgrades the Gson dependency to 2.11.0

  • Upgrades the BouncyCastle dependency to 1.78.1

Commits

Updates io.jsonwebtoken:jjwt-impl from 0.12.6 to 0.13.0

Release notes

Sourced from io.jsonwebtoken:jjwt-impl's releases.

0.13.0

This is the last minor JJWT release branch that will support Java 7.

Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

What's Changed

This release contains a single change:

  • The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. Thank you to @​kesrishubham2510 for PR #972. See Issue 914.

Full Changelog: jwtk/jjwt@0.12.7...0.13.0

0.12.7

This patch release:

  • Adds a new Maven BOM! This is useful for multi-module projects. See Issue 967.

  • Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

    • Emptying the zip() nested collection disables JWT decompression.
    • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
    • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

    See Issue 996.

  • Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

  • Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

  • Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

    Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

    NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

    See Issue 988.

  • Upgrades the Gson dependency to 2.11.0

  • Upgrades the BouncyCastle dependency to 1.78.1

New Contributors

Full Changelog: jwtk/jjwt@0.12.6...0.12.7

Changelog

Sourced from io.jsonwebtoken:jjwt-impl's changelog.

0.13.0

This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

This 0.13.0 minor release has only one change:

  • The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims type converter on their own specified ObjectMapper instance. See Issue 914.

0.12.7

This patch release:

  • Adds a new Maven BOM, useful for multi-module projects. See Issue 967.

  • Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:

    • Emptying the zip() nested collection disables JWT decompression.
    • Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
    • Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)

    See Issue 996.

  • Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.

  • Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.

  • Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

    Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

    NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

    See Issue 988.

  • Upgrades the Gson dependency to 2.11.0

  • Upgrades the BouncyCastle dependency to 1.78.1

Commits

Updates io.jsonwebtoken:jjwt-jackson from 0.12.6 to 0.13.0

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file java Pull requests that update java code labels May 16, 2026
@dependabot
chore(deps): bump jjwt.version from 0.12.6 to 0.13.0 in /backend
615c084 
Bumps `jjwt.version` from 0.12.6 to 0.13.0.

Updates `io.jsonwebtoken:jjwt-api` from 0.12.6 to 0.13.0
- [Release notes](https://github.com/jwtk/jjwt/releases)
- [Changelog](https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md)
- [Commits](jwtk/jjwt@0.12.6...0.13.0)

Updates `io.jsonwebtoken:jjwt-impl` from 0.12.6 to 0.13.0
- [Release notes](https://github.com/jwtk/jjwt/releases)
- [Changelog](https://github.com/jwtk/jjwt/blob/master/CHANGELOG.md)
- [Commits](jwtk/jjwt@0.12.6...0.13.0)

Updates `io.jsonwebtoken:jjwt-jackson` from 0.12.6 to 0.13.0

---
updated-dependencies:
- dependency-name: io.jsonwebtoken:jjwt-api
  dependency-version: 0.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: io.jsonwebtoken:jjwt-impl
  dependency-version: 0.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
- dependency-name: io.jsonwebtoken:jjwt-jackson
  dependency-version: 0.13.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/maven/backend/jjwt.version-0.13.0 branch from 4664fbd to 615c084 Compare May 17, 2026 00:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file java Pull requests that update java code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants