fix(deps): update dependency io.jsonwebtoken:jjwt-impl to v0.12.5 - autoclosed #290
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
0.12.3
->0.12.5
Release Notes
jwtk/jjwt (io.jsonwebtoken:jjwt-impl)
v0.12.5
Compare Source
This patch release:
Ensures that builders'
NestedCollection
changes are applied to the collection immediately as mutation methods are called, no longerrequiring application developers to call
.and()
to 'commit' or apply a change. For example, prior to this release,the following code did not apply changes:
Now this code works as expected and all other
NestedCollection
instances like it apply changes immediately (e.g. when calling.add(value)
).However, standard fluent builder chains are still recommended for readability when feasible, e.g.
See Issue 916.
v0.12.4
Compare Source
This patch release includes various changes listed below.
Jackson Default Parsing Behavior
This release makes two behavioral changes to JJWT's default Jackson
ObjectMapper
parsing settings:In the interest of having stronger standards to reject potentially malformed/malicious/accidental JSON that could
have undesirable effects on an application, JJWT's default
ObjectMapper
is now configured to explicitly reject/failparsing JSON (JWT headers and/or Claims) if/when that JSON contains duplicate JSON member names.
For example, now the following JSON, if parsed, would fail (be rejected) by default:
Technically, the JWT RFCs do allow duplicate named fields as long as the last parsed member is the one used
(see JWS RFC 7515, Section 4), so this is allowed.
However, because JWTs often reflect security concepts, it's usually better to be defensive and reject these
unexpected scenarios by default. The RFC later supports this position/preference in
Section 10.12:
Finally, this is just a default, and the RFC does indeed allow duplicate member names if the last value is used,
so applications that require duplicates to be allowed can simply configure their own
ObjectMapper
and usethat with JJWT instead of assuming this (new) JJWT default. See
Issue #877 for more.
If using JJWT's support to use Jackson to parse
Custom Claim Types (for example, a Claim that should be
unmarshalled into a POJO), and the JSON for that POJO contained a member that is not represented in the specified
class, Jackson would fail parsing by default. Because POJOs and JSON data models can sometimes be out of sync
due to different class versions, the default behavior has been changed to ignore these unknown JSON members instead
of failing (i.e. the
ObjectMapper
'sDeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES
is now set tofalse
)by default.
Again, if you prefer the stricter behavior of rejecting JSON with extra or unknown properties, you can configure
true
on your ownObjectMapper
instance and use that instance with theJwts.parser()
builder.Additional Changes
This release also:
java.util.ServiceLoader
to dynamically lookup/instantiate pluggableimplementations of JJWT interfaces (e.g. JSON parsers, etc). See
Issue #873 and its documented fix in
PR #893.
org.json
library usages can parse JSON from aJwtBuilder
-providedjava.io.Reader
instance. Issue 882.aud
(Audience) claim is retained (without converting it to aSet
) when copying/applying asource Claims instance to a destination Claims builder. Issue 890.
x
,y
, andd
) byte array valuesif necessary before Base64Url-encoding per RFC 7518, Sections
6.2.1.2,
6.2.1.3, and
6.2.2.1, respectively.
Issue 901.
k
sizes larger than the algorithm minimum canbe parsed/used as expected. See Issue #905
attacks. Many thanks to Jingcheng Yang and Jianjun Chen from Sichuan University and Zhongguancun Lab for their
work on this. See PR 911.
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.