Skip to content

Bump jjwt-api from 0.11.5 to 0.12.2

Dependabot requested to merge dependabot-maven-io.jsonwebtoken-jjwt-api-0.12.2 into master

Bumps jjwt-api from 0.11.5 to 0.12.2.

Release notes

Sourced from jjwt-api's releases.

0.12.2

This is a follow-up release to finalize the work in 0.12.1 that tried to fix a reflection scope problem on >= JDK 17. The 0.12.1 fix worked, but only if the importing project or application did not have its own module-info.java file.

This release removes that reflection code entirely in favor of a JJWT-native implementation, eliminating JPMS module (scope) problems on >= JDK 17. As such, --add-opens flags are no longer required to use JJWT.

The fix has been tested up through JDK 21 in a separate application environment (out of JJWT's codebase) to assert expected functionality in a 'clean room' environment in a project both with and without module-info.java usage.

Notes are in the CHANGELOG, and project documentation is in the README.

Please allow 30 minutes from the time this announcement is published for the release to be available in Maven Central.

0.12.1

This is a quick follow-up release from yesterday's 0.12.0 release that addresses a reflection issue on JDK 17. The fix has been tested up through JDK 21.

Notes are in the CHANGELOG, and project documentation is in the README.

Please allow 30 minutes for the release to be available in Maven Central.

0.12.0

It is finally here! This release includes full support for JSON Web Encryption (JWE), JSON Web Keys (JWK), JSON Web Key Thumbprints, JSON Web Key Thumbprint URIs, and so, so much more.

This is the culmination of hundreds of hours worth of work and testing, and we're glad to finally release it. However, please note:

This is our first-ever breaking change release. While we tried hard to minimize the breakages, some were just necessary in preparation for 1.0 and to finalize all JWT RFC features. If you are not partial to fixing changes when upgrading a library, we strongly encourage you to wait until the 1.0 release.

Please pay particular attention to the CHANGELOG listing breaking changes.

Full documentation is available in the README.

Changelog

Sourced from jjwt-api's changelog.

0.12.2

This is a follow-up release to finalize the work in 0.12.1 that tried to fix a reflection scope problem on >= JDK 17. The 0.12.1 fix worked, but only if the importing project or application did not have its own module-info.java file.

This release removes that reflection code entirely in favor of a JJWT-native implementation, eliminating JPMS module (scope) problems on >= JDK 17. As such, --add-opens flags are no longer required to use JJWT.

The fix has been tested up through JDK 21 in a separate application environment (out of JJWT's codebase) to assert expected functionality in a 'clean room' environment in a project both with and without module-info.java usage.

0.12.1

Enabled reflective access on JDK 17+ to java.io.ByteArrayInputStream and sun.security.util.KeyUtil for jjwt-impl.jar

0.12.0

This is a big release! JJWT now fully supports Encrypted JSON Web Tokens (JWE), JSON Web Keys (JWK) and more! See the sections below enumerating all new features as well as important notes on breaking changes or backwards-incompatible changes made in preparation for the upcoming 1.0 release.

Because breaking changes are being introduced, it is strongly recommended to wait until the upcoming 1.0 release where you can address breaking changes one time only.

Those that need immediate JWE encryption and JWK key support however will likely want to upgrade now and deal with the smaller subset of breaking changes in the 1.0 release.

Simplified Starter Jar

Those upgrading to new modular JJWT versions from old single-jar versions will transparently obtain everything they need in their Maven, Gradle or Android projects.

JJWT's early releases had one and only one .jar: jjwt.jar. Later releases moved to a modular design with 'api' and 'impl' jars including 'plugin' jars for Jackson, GSON, org.json, etc. Some users upgrading from the earlier single jar to JJWT's later versions have been frustrated by being forced to learn how to configure the more modular .jars.

This release re-introduces the jjwt.jar artifact again, but this time it is simply an empty .jar with Maven metadata that will automatically transitively download the following into a project, retaining the old single-jar behavior:

  • jjwt-api.jar
  • jjwt-impl.jar
  • jjwt-jackson.jar

Naturally, developers are still encouraged to configure the modular .jars as described in JJWT's documentation for greater control and to enable their preferred JSON parser, but this stop-gap should help those unaware when upgrading.

JSON Web Encryption (JWE) Support!

... (truncated)

Commits

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

Merge request reports