Update dependency io.jsonwebtoken:jjwt-jackson to v0.13.0 #23

renovate · 2025-11-06T19:02:15+01:00

renovate commented

2025-11-06 19:02:15 +01:00

This PR contains the following updates:

Package	Type	Update	Change
io.jsonwebtoken:jjwt-jackson	compile	minor	`0.12.6` -> `0.13.0`

Release Notes

jwtk/jjwt (io.jsonwebtoken:jjwt-jackson)

`v0.13.0`

Compare Source

This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent 0.13.x patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (0.14.0) release.

All future JJWT major and minor versions ( 0.14.0 and later) will require Java 8 or later.

This 0.13.0 minor release has only one change:

The previously private JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap) constructor is now public for those that want register a claims
type converter on their own specified ObjectMapper instance. See Issue 914.

`v0.12.7`

Compare Source

This patch release:

Adds a new Maven BOM, useful for multi-module projects. See Issue 967.
Allows the JwtParserBuilder to have empty nested algorithm collections, effectively disabling the parser's associated feature:
- Emptying the zip() nested collection disables JWT decompression.
- Emptying the sig() nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected).
- Emptying either the enc() or key() nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected)
See Issue 996.
Fixes bug 961 where JwtParserBuilder nested collection builders were not correctly replacing algorithms with the same id.
Ensures a JwkSet's keys collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the keys collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See Issue 976.
Improves performance slightly by ensuring all jjwt-api utility methods that create *Builder instances (Jwts.builder(), Jwts.parserBuilder(), Jwks.builder(), etc) no longer use reflection.

Instead,static factories are created via reflection only once during initial jjwt-api classloading, and then *Builders are created via standard instantiation using the new operator thereafter. This also benefits certain environments that may not have ideal ClassLoader implementations (e.g. Tomcat in some cases).

NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names.

See Issue 988.
Upgrades the Gson dependency to 2.11.0
Upgrades the BouncyCastle dependency to 1.78.1

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [io.jsonwebtoken:jjwt-jackson](https://github.com/jwtk/jjwt) | compile | minor | `0.12.6` -> `0.13.0` | --- ### Release Notes <details> <summary>jwtk/jjwt (io.jsonwebtoken:jjwt-jackson)</summary> ### [`v0.13.0`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0130) [Compare Source](https://github.com/jwtk/jjwt/compare/0.12.7...0.13.0) This is the last minor JJWT release branch that will support Java 7. Any necessary emergency bug fixes will be fixed in subsequent `0.13.x` patch releases, but all new development, including Java 8 compatible changes, will be in the next minor (`0.14.0`) release. **All future JJWT major and minor versions ( `0.14.0` and later) will require Java 8 or later.** This `0.13.0` minor release has only one change: - The previously private `JacksonDeserializer(ObjectMapper objectMapper, Map<String, Class<?>> claimTypeMap)` constructor is now `public` for those that want register a claims type converter on their own specified `ObjectMapper` instance. See [Issue 914](https://github.com/jwtk/jjwt/issues/914). ### [`v0.12.7`](https://github.com/jwtk/jjwt/blob/HEAD/CHANGELOG.md#0127) [Compare Source](https://github.com/jwtk/jjwt/compare/0.12.6...0.12.7) This patch release: - Adds a new Maven BOM, useful for multi-module projects. See [Issue 967](https://github.com/jwtk/jjwt/issues/967). - Allows the `JwtParserBuilder` to have empty nested algorithm collections, effectively disabling the parser's associated feature: - Emptying the `zip()` nested collection disables JWT decompression. - Emptying the `sig()` nested collection disables JWS mac/signature verification (i.e. all JWSs will be unsupported/rejected). - Emptying either the `enc()` or `key()` nested collections disables JWE decryption (i.e. all JWEs will be unsupported/rejected) See [Issue 996](https://github.com/jwtk/jjwt/issues/996). - Fixes [bug 961](https://github.com/jwtk/jjwt/issues/961) where `JwtParserBuilder` nested collection builders were not correctly replacing algorithms with the same id. - Ensures a `JwkSet`'s `keys` collection is no longer entirely secret/redacted by default. This was an overzealous default that was unnecessarily restrictive; the `keys` collection itself should always be public, and each individual key within should determine which fields should be redacted when printed. See [Issue 976](https://github.com/jwtk/jjwt/issues/976). - Improves performance slightly by ensuring all `jjwt-api` utility methods that create `*Builder` instances (`Jwts.builder()`, `Jwts.parserBuilder()`, `Jwks.builder()`, etc) no longer use reflection. Instead,`static` factories are created via reflection only once during initial `jjwt-api` classloading, and then `*Builder`s are created via standard instantiation using the `new` operator thereafter. This also benefits certain environments that may not have ideal `ClassLoader` implementations (e.g. Tomcat in some cases). **NOTE: because this changes which classes are loaded via reflection, any environments that must explicitly reference reflective class names (e.g. GraalVM applications) will need to be updated to reflect the new factory class names**. See [Issue 988](https://github.com/jwtk/jjwt/issues/988). - Upgrades the Gson dependency to `2.11.0` - Upgrades the BouncyCastle dependency to `1.78.1` </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

renovate added 1 commit 2025-11-06 19:02:16 +01:00

Update dependency io.jsonwebtoken:jjwt-jackson to v0.13.0

continuous-integration/drone/pr Build was killed

Details

continuous-integration/drone/push Build is failing

Details

02be0a405e

bea merged commit 90334d15f8 into main

2025-11-06 19:03:53 +01:00

bea deleted branch renovate/io.jsonwebtoken-jjwt-jackson-0.x

2025-11-06 19:03:53 +01:00

bea referenced this issue from a commit

2025-11-06 19:03:53 +01:00

Merge pull request 'Update dependency io.jsonwebtoken:jjwt-jackson to v0.13.0' (!23) from renovate/io.jsonwebtoken-jjwt-jackson-0.x into main

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: bea/release-hive#23